Momentum-Apps/lib/wolfssl/wolfcrypt/src/sp_c64.c

/* sp.c
 *
 * Copyright (C) 2006-2023 wolfSSL Inc.
 *
 * This file is part of wolfSSL.
 *
 * wolfSSL is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * wolfSSL is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 */

/* Implementation by Sean Parkinson. */

#ifdef HAVE_CONFIG_H
    #include <config.h>
#endif

#include <wolfssl/wolfcrypt/settings.h>

#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH) || \
    defined(WOLFSSL_HAVE_SP_ECC)

#include <wolfssl/wolfcrypt/error-crypt.h>
#include <wolfssl/wolfcrypt/cpuid.h>
#ifdef NO_INLINE
    #include <wolfssl/wolfcrypt/misc.h>
#else
    #define WOLFSSL_MISC_INCLUDED
    #include <wolfcrypt/src/misc.c>
#endif

#ifdef RSA_LOW_MEM
#ifndef SP_RSA_PRIVATE_EXP_D
#define SP_RSA_PRIVATE_EXP_D
#endif

#ifndef WOLFSSL_SP_SMALL
#define WOLFSSL_SP_SMALL
#endif
#endif

#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SP_NO_MALLOC)
#undef WOLFSSL_SP_SMALL_STACK
#define WOLFSSL_SP_SMALL_STACK
#endif

#include <wolfssl/wolfcrypt/sp.h>

#ifdef __IAR_SYSTEMS_ICC__
#define __asm__        asm
#define __volatile__   volatile
#define WOLFSSL_NO_VAR_ASSIGN_REG
#endif /* __IAR_SYSTEMS_ICC__ */
#ifdef __KEIL__
#define __asm__        __asm
#define __volatile__   volatile
#endif

#ifndef WOLFSSL_SP_ASM
#if SP_WORD_SIZE == 64
#define SP_PRINT_NUM(var, name, total, words, bits)   \
    do {                                              \
        int ii;                                       \
        byte nb[(bits + 7) / 8];                      \
        sp_digit _s[words];                           \
        XMEMCPY(_s, var, sizeof(_s));                 \
        sp_##total##_norm_##words(_s);                \
        sp_##total##_to_bin_##words(_s, nb);          \
        fprintf(stderr, name "=0x");                  \
        for (ii=0; ii<(bits + 7) / 8; ii++)           \
            fprintf(stderr, "%02x", nb[ii]);          \
        fprintf(stderr, "\n");                        \
    } while (0)

#define SP_PRINT_VAL(var, name)                       \
    fprintf(stderr, name "=0x" SP_PRINT_FMT "\n", var)

#define SP_PRINT_INT(var, name)                       \
    fprintf(stderr, name "=%d\n", var)

#if ((defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && \
     ((!defined(WC_NO_CACHE_RESISTANT) && \
       (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH))) || \
      (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_FAST_MODEXP))) && \
    !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || (defined(WOLFSSL_SP_SMALL) && \
    defined(WOLFSSL_HAVE_SP_ECC) && (!defined(WOLFSSL_SP_NO_256) || \
    defined(WOLFSSL_SP_384) || defined(WOLFSSL_SP_521) || \
    defined(WOLFSSL_SP_1024)))
/* Mask for address to obfuscate which of the two address will be used. */
static const size_t addr_mask[2] = { 0, (size_t)-1 };
#endif

#if defined(WOLFSSL_SP_NONBLOCK) && (!defined(WOLFSSL_SP_NO_MALLOC) || \
                                     !defined(WOLFSSL_SP_SMALL))
    #error SP non-blocking requires small and no-malloc (WOLFSSL_SP_SMALL and WOLFSSL_SP_NO_MALLOC)
#endif

#if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)
#ifndef WOLFSSL_SP_NO_2048
#ifdef WOLFSSL_SP_SMALL
/* Read big endian unsigned byte array into r.
 *
 * r  A single precision integer.
 * size  Maximum number of bytes to convert
 * a  Byte array.
 * n  Number of bytes in array to read.
 */
static void sp_2048_from_bin(sp_digit* r, int size, const byte* a, int n)
{
    int i;
    int j = 0;
    word32 s = 0;

    r[0] = 0;
    for (i = n-1; i >= 0; i--) {
        r[j] |= (((sp_digit)a[i]) << s);
        if (s >= 53U) {
            r[j] &= 0x1fffffffffffffffL;
            s = 61U - s;
            if (j + 1 >= size) {
                break;
            }
            r[++j] = (sp_digit)a[i] >> s;
            s = 8U - s;
        }
        else {
            s += 8U;
        }
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
}

/* Convert an mp_int to an array of sp_digit.
 *
 * r  A single precision integer.
 * size  Maximum number of bytes to convert
 * a  A multi-precision integer.
 */
static void sp_2048_from_mp(sp_digit* r, int size, const mp_int* a)
{
#if DIGIT_BIT == 61
    int i;
    sp_digit j = (sp_digit)0 - (sp_digit)a->used;
    int o = 0;

    for (i = 0; i < size; i++) {
        sp_digit mask = (sp_digit)0 - (j >> 60);
        r[i] = a->dp[o] & mask;
        j++;
        o += (int)(j >> 60);
    }
#elif DIGIT_BIT > 61
    unsigned int i;
    int j = 0;
    word32 s = 0;

    r[0] = 0;
    for (i = 0; i < (unsigned int)a->used && j < size; i++) {
        r[j] |= ((sp_digit)a->dp[i] << s);
        r[j] &= 0x1fffffffffffffffL;
        s = 61U - s;
        if (j + 1 >= size) {
            break;
        }
        /* lint allow cast of mismatch word32 and mp_digit */
        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
        while ((s + 61U) <= (word32)DIGIT_BIT) {
            s += 61U;
            r[j] &= 0x1fffffffffffffffL;
            if (j + 1 >= size) {
                break;
            }
            if (s < (word32)DIGIT_BIT) {
                /* lint allow cast of mismatch word32 and mp_digit */
                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
            }
            else {
                r[++j] = (sp_digit)0;
            }
        }
        s = (word32)DIGIT_BIT - s;
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
#else
    unsigned int i;
    int j = 0;
    int s = 0;

    r[0] = 0;
    for (i = 0; i < (unsigned int)a->used && j < size; i++) {
        r[j] |= ((sp_digit)a->dp[i]) << s;
        if (s + DIGIT_BIT >= 61) {
            r[j] &= 0x1fffffffffffffffL;
            if (j + 1 >= size) {
                break;
            }
            s = 61 - s;
            if (s == DIGIT_BIT) {
                r[++j] = 0;
                s = 0;
            }
            else {
                r[++j] = a->dp[i] >> s;
                s = DIGIT_BIT - s;
            }
        }
        else {
            s += DIGIT_BIT;
        }
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
#endif
}

/* Write r as big endian to byte array.
 * Fixed length number of bytes written: 256
 *
 * r  A single precision integer.
 * a  Byte array.
 */
static void sp_2048_to_bin_34(sp_digit* r, byte* a)
{
    int i;
    int j;
    int s = 0;
    int b;

    for (i=0; i<33; i++) {
        r[i+1] += r[i] >> 61;
        r[i] &= 0x1fffffffffffffffL;
    }
    j = 2055 / 8 - 1;
    a[j] = 0;
    for (i=0; i<34 && j>=0; i++) {
        b = 0;
        /* lint allow cast of mismatch sp_digit and int */
        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
        b += 8 - s;
        if (j < 0) {
            break;
        }
        while (b < 61) {
            a[j--] = (byte)(r[i] >> b);
            b += 8;
            if (j < 0) {
                break;
            }
        }
        s = 8 - (b - 61);
        if (j >= 0) {
            a[j] = 0;
        }
        if (s != 0) {
            j++;
        }
    }
}

#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(WOLFSSL_HAVE_SP_DH)
/* Normalize the values in each word to 61 bits.
 *
 * a  Array of sp_digit to normalize.
 */
static void sp_2048_norm_17(sp_digit* a)
{
    int i;
    for (i = 0; i < 16; i++) {
        a[i+1] += a[i] >> 61;
        a[i] &= 0x1fffffffffffffffL;
    }
}

#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
/* Normalize the values in each word to 61 bits.
 *
 * a  Array of sp_digit to normalize.
 */
static void sp_2048_norm_34(sp_digit* a)
{
    int i;
    for (i = 0; i < 33; i++) {
        a[i+1] += a[i] >> 61;
        a[i] &= 0x1fffffffffffffffL;
    }
}

/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_2048_mul_34(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    int i;
    int imax;
    int k;
    sp_uint128 c;
    sp_uint128 lo;

    c = ((sp_uint128)a[33]) * b[33];
    r[67] = (sp_digit)(c >> 61);
    c &= 0x1fffffffffffffffL;
    for (k = 65; k >= 0; k--) {
        if (k >= 34) {
            i = k - 33;
            imax = 33;
        }
        else {
            i = 0;
            imax = k;
        }
        if (imax - i > 15) {
            int imaxlo;
            lo = 0;
            for (imaxlo = i; imaxlo <= imax; imaxlo += 15) {
                for (; i <= imax && i < imaxlo + 15; i++) {
                    lo += ((sp_uint128)a[i]) * b[k - i];
                }
                c += lo >> 61;
                lo &= 0x1fffffffffffffffL;
            }
            r[k + 2] += (sp_digit)(c >> 61);
            r[k + 1]  = (sp_digit)(c & 0x1fffffffffffffffL);
            c = lo & 0x1fffffffffffffffL;
        }
        else {
            lo = 0;
            for (; i <= imax; i++) {
                lo += ((sp_uint128)a[i]) * b[k - i];
            }
            c += lo >> 61;
            r[k + 2] += (sp_digit)(c >> 61);
            r[k + 1]  = (sp_digit)(c & 0x1fffffffffffffffL);
            c = lo & 0x1fffffffffffffffL;
        }
    }
    r[0] = (sp_digit)c;
}

/* Square a and put result in r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_2048_sqr_34(sp_digit* r, const sp_digit* a)
{
    int i;
    int imax;
    int k;
    sp_uint128 c;
    sp_uint128 t;

    c = ((sp_uint128)a[33]) * a[33];
    r[67] = (sp_digit)(c >> 61);
    c = (c & 0x1fffffffffffffffL) << 61;
    for (k = 65; k >= 0; k--) {
        i = (k + 1) / 2;
        if ((k & 1) == 0) {
           c += ((sp_uint128)a[i]) * a[i];
           i++;
        }
        if (k < 33) {
            imax = k;
        }
        else {
            imax = 33;
        }
        if (imax - i >= 14) {
            int imaxlo;
            sp_uint128 hi;

            hi = c >> 61;
            c &= 0x1fffffffffffffffL;
            for (imaxlo = i; imaxlo <= imax; imaxlo += 14) {
                t = 0;
                for (; i <= imax && i < imaxlo + 14; i++) {
                    t += ((sp_uint128)a[i]) * a[k - i];
                }
                c += t * 2;

                hi += c >> 61;
                c &= 0x1fffffffffffffffL;
            }
            r[k + 2] += (sp_digit)(hi >> 61);
            r[k + 1]  = (sp_digit)(hi & 0x1fffffffffffffffL);
            c <<= 61;
        }
        else
        {
            t = 0;
            for (; i <= imax; i++) {
                t += ((sp_uint128)a[i]) * a[k - i];
            }
            c += t * 2;

            r[k + 2] += (sp_digit) (c >> 122);
            r[k + 1]  = (sp_digit)((c >> 61) & 0x1fffffffffffffffL);
            c = (c & 0x1fffffffffffffffL) << 61;
        }
    }
    r[0] = (sp_digit)(c >> 61);
}

/* Calculate the bottom digit of -1/a mod 2^n.
 *
 * a    A single precision number.
 * rho  Bottom word of inverse.
 */
static void sp_2048_mont_setup(const sp_digit* a, sp_digit* rho)
{
    sp_digit x;
    sp_digit b;

    b = a[0];
    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**64 */
    x &= 0x1fffffffffffffffL;

    /* rho = -1/m mod b */
    *rho = ((sp_digit)1 << 61) - x;
}

/* Multiply a by scalar b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_2048_mul_d_34(sp_digit* r, const sp_digit* a,
    sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t = 0;
    int i;

    for (i = 0; i < 34; i++) {
        t += tb * a[i];
        r[i] = (sp_digit)(t & 0x1fffffffffffffffL);
        t >>= 61;
    }
    r[34] = (sp_digit)t;
}

#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(WOLFSSL_HAVE_SP_DH)
/* Sub b from a into r. (r = a - b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_2048_sub_17(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 17; i++) {
        r[i] = a[i] - b[i];
    }

    return 0;
}

/* r = 2^n mod m where n is the number of bits to reduce by.
 * Given m must be 2048 bits, just need to subtract.
 *
 * r  A single precision number.
 * m  A single precision number.
 */
static void sp_2048_mont_norm_17(sp_digit* r, const sp_digit* m)
{
    /* Set r = 2^n - 1. */
    int i;

    for (i=0; i<16; i++) {
        r[i] = 0x1fffffffffffffffL;
    }
    r[16] = 0xffffffffffffL;

    /* r = (2^n - 1) mod n */
    (void)sp_2048_sub_17(r, r, m);

    /* Add one so r = 2^n mod m */
    r[0] += 1;
}

/* Compare a with b in constant time.
 *
 * a  A single precision integer.
 * b  A single precision integer.
 * return -ve, 0 or +ve if a is less than, equal to or greater than b
 * respectively.
 */
static sp_digit sp_2048_cmp_17(const sp_digit* a, const sp_digit* b)
{
    sp_digit r = 0;
    int i;

    for (i=16; i>=0; i--) {
        r |= (a[i] - b[i]) & ~(((sp_digit)0 - r) >> 60);
    }

    return r;
}

/* Conditionally subtract b from a using the mask m.
 * m is -1 to subtract and 0 when not.
 *
 * r  A single precision number representing condition subtract result.
 * a  A single precision number to subtract from.
 * b  A single precision number to subtract.
 * m  Mask value to apply.
 */
static void sp_2048_cond_sub_17(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 17; i++) {
        r[i] = a[i] - (b[i] & m);
    }
}

/* Mul a by scalar b and add into r. (r += a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_2048_mul_add_17(sp_digit* r, const sp_digit* a,
        const sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t[4];
    int i;

    t[0] = 0;
    for (i = 0; i < 16; i += 4) {
        t[0] += (tb * a[i+0]) + r[i+0];
        t[1]  = (tb * a[i+1]) + r[i+1];
        t[2]  = (tb * a[i+2]) + r[i+2];
        t[3]  = (tb * a[i+3]) + r[i+3];
        r[i+0] = t[0] & 0x1fffffffffffffffL;
        t[1] += t[0] >> 61;
        r[i+1] = t[1] & 0x1fffffffffffffffL;
        t[2] += t[1] >> 61;
        r[i+2] = t[2] & 0x1fffffffffffffffL;
        t[3] += t[2] >> 61;
        r[i+3] = t[3] & 0x1fffffffffffffffL;
        t[0]  = t[3] >> 61;
    }
    t[0] += (tb * a[16]) + r[16];
    r[16] = t[0] & 0x1fffffffffffffffL;
    r[17] +=  (sp_digit)(t[0] >> 61);
}

/* Shift the result in the high 1024 bits down to the bottom.
 *
 * r  A single precision number.
 * a  A single precision number.
 */
static void sp_2048_mont_shift_17(sp_digit* r, const sp_digit* a)
{
    int i;
    sp_int128 n = a[16] >> 48;
    n += ((sp_int128)a[17]) << 13;

    for (i = 0; i < 16; i++) {
        r[i] = n & 0x1fffffffffffffffL;
        n >>= 61;
        n += ((sp_int128)a[18 + i]) << 13;
    }
    r[16] = (sp_digit)n;
    XMEMSET(&r[17], 0, sizeof(*r) * 17U);
}

/* Reduce the number back to 2048 bits using Montgomery reduction.
 *
 * a   A single precision number to reduce in place.
 * m   The single precision number representing the modulus.
 * mp  The digit representing the negative inverse of m mod 2^n.
 */
static void sp_2048_mont_reduce_17(sp_digit* a, const sp_digit* m, sp_digit mp)
{
    int i;
    sp_digit mu;
    sp_digit over;

    sp_2048_norm_17(a + 17);

    for (i=0; i<16; i++) {
        mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x1fffffffffffffffL;
        sp_2048_mul_add_17(a+i, m, mu);
        a[i+1] += a[i] >> 61;
    }
    mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0xffffffffffffL;
    sp_2048_mul_add_17(a+i, m, mu);
    a[i+1] += a[i] >> 61;
    a[i] &= 0x1fffffffffffffffL;
    sp_2048_mont_shift_17(a, a);
    over = a[16] - m[16];
    sp_2048_cond_sub_17(a, a, m, ~((over - 1) >> 63));
    sp_2048_norm_17(a);
}

/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_2048_mul_17(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    int i;
    int imax;
    int k;
    sp_uint128 c;
    sp_uint128 lo;

    c = ((sp_uint128)a[16]) * b[16];
    r[33] = (sp_digit)(c >> 61);
    c &= 0x1fffffffffffffffL;
    for (k = 31; k >= 0; k--) {
        if (k >= 17) {
            i = k - 16;
            imax = 16;
        }
        else {
            i = 0;
            imax = k;
        }
        if (imax - i > 15) {
            int imaxlo;
            lo = 0;
            for (imaxlo = i; imaxlo <= imax; imaxlo += 15) {
                for (; i <= imax && i < imaxlo + 15; i++) {
                    lo += ((sp_uint128)a[i]) * b[k - i];
                }
                c += lo >> 61;
                lo &= 0x1fffffffffffffffL;
            }
            r[k + 2] += (sp_digit)(c >> 61);
            r[k + 1]  = (sp_digit)(c & 0x1fffffffffffffffL);
            c = lo & 0x1fffffffffffffffL;
        }
        else {
            lo = 0;
            for (; i <= imax; i++) {
                lo += ((sp_uint128)a[i]) * b[k - i];
            }
            c += lo >> 61;
            r[k + 2] += (sp_digit)(c >> 61);
            r[k + 1]  = (sp_digit)(c & 0x1fffffffffffffffL);
            c = lo & 0x1fffffffffffffffL;
        }
    }
    r[0] = (sp_digit)c;
}

/* Multiply two Montgomery form numbers mod the modulus (prime).
 * (r = a * b mod m)
 *
 * r   Result of multiplication.
 * a   First number to multiply in Montgomery form.
 * b   Second number to multiply in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_2048_mont_mul_17(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit* m, sp_digit mp)
{
    sp_2048_mul_17(r, a, b);
    sp_2048_mont_reduce_17(r, m, mp);
}

/* Square a and put result in r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_2048_sqr_17(sp_digit* r, const sp_digit* a)
{
    int i;
    int imax;
    int k;
    sp_uint128 c;
    sp_uint128 t;

    c = ((sp_uint128)a[16]) * a[16];
    r[33] = (sp_digit)(c >> 61);
    c = (c & 0x1fffffffffffffffL) << 61;
    for (k = 31; k >= 0; k--) {
        i = (k + 1) / 2;
        if ((k & 1) == 0) {
           c += ((sp_uint128)a[i]) * a[i];
           i++;
        }
        if (k < 16) {
            imax = k;
        }
        else {
            imax = 16;
        }
        if (imax - i >= 14) {
            int imaxlo;
            sp_uint128 hi;

            hi = c >> 61;
            c &= 0x1fffffffffffffffL;
            for (imaxlo = i; imaxlo <= imax; imaxlo += 14) {
                t = 0;
                for (; i <= imax && i < imaxlo + 14; i++) {
                    t += ((sp_uint128)a[i]) * a[k - i];
                }
                c += t * 2;

                hi += c >> 61;
                c &= 0x1fffffffffffffffL;
            }
            r[k + 2] += (sp_digit)(hi >> 61);
            r[k + 1]  = (sp_digit)(hi & 0x1fffffffffffffffL);
            c <<= 61;
        }
        else
        {
            t = 0;
            for (; i <= imax; i++) {
                t += ((sp_uint128)a[i]) * a[k - i];
            }
            c += t * 2;

            r[k + 2] += (sp_digit) (c >> 122);
            r[k + 1]  = (sp_digit)((c >> 61) & 0x1fffffffffffffffL);
            c = (c & 0x1fffffffffffffffL) << 61;
        }
    }
    r[0] = (sp_digit)(c >> 61);
}

/* Square the Montgomery form number. (r = a * a mod m)
 *
 * r   Result of squaring.
 * a   Number to square in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_2048_mont_sqr_17(sp_digit* r, const sp_digit* a,
        const sp_digit* m, sp_digit mp)
{
    sp_2048_sqr_17(r, a);
    sp_2048_mont_reduce_17(r, m, mp);
}

/* Multiply a by scalar b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_2048_mul_d_17(sp_digit* r, const sp_digit* a,
    sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t = 0;
    int i;

    for (i = 0; i < 17; i++) {
        t += tb * a[i];
        r[i] = (sp_digit)(t & 0x1fffffffffffffffL);
        t >>= 61;
    }
    r[17] = (sp_digit)t;
}

#ifdef WOLFSSL_SP_SMALL
/* Conditionally add a and b using the mask m.
 * m is -1 to add and 0 when not.
 *
 * r  A single precision number representing conditional add result.
 * a  A single precision number to add with.
 * b  A single precision number to add.
 * m  Mask value to apply.
 */
static void sp_2048_cond_add_17(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 17; i++) {
        r[i] = a[i] + (b[i] & m);
    }
}
#endif /* WOLFSSL_SP_SMALL */

/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_2048_add_17(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 17; i++) {
        r[i] = a[i] + b[i];
    }

    return 0;
}

SP_NOINLINE static void sp_2048_rshift_17(sp_digit* r, const sp_digit* a,
        byte n)
{
    int i;

    for (i=0; i<16; i++) {
        r[i] = ((a[i] >> n) | (a[i + 1] << (61 - n))) & 0x1fffffffffffffffL;
    }
    r[16] = a[16] >> n;
}

static WC_INLINE sp_digit sp_2048_div_word_17(sp_digit d1, sp_digit d0,
    sp_digit div)
{
#ifdef SP_USE_DIVTI3
    sp_int128 d = ((sp_int128)d1 << 61) + d0;

    return d / div;
#elif defined(__x86_64__) || defined(__i386__)
    sp_int128 d = ((sp_int128)d1 << 61) + d0;
    sp_uint64 lo = (sp_uint64)d;
    sp_digit hi = (sp_digit)(d >> 64);

    __asm__ __volatile__ (
        "idiv %2"
        : "+a" (lo)
        : "d" (hi), "r" (div)
        : "cc"
    );

    return (sp_digit)lo;
#elif !defined(__aarch64__) &&  !defined(SP_DIV_WORD_USE_DIV)
    sp_int128 d = ((sp_int128)d1 << 61) + d0;
    sp_digit dv = (div >> 1) + 1;
    sp_digit t1 = (sp_digit)(d >> 61);
    sp_digit t0 = (sp_digit)(d & 0x1fffffffffffffffL);
    sp_digit t2;
    sp_digit sign;
    sp_digit r;
    int i;
    sp_int128 m;

    r = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
    t1 -= dv & (0 - r);
    for (i = 59; i >= 1; i--) {
        t1 += t1 + (((sp_uint64)t0 >> 60) & 1);
        t0 <<= 1;
        t2 = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
        r += r + t2;
        t1 -= dv & (0 - t2);
        t1 += t2;
    }
    r += r + 1;

    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 61);
    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 122) - (sp_digit)(d >> 122);

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;
   return r;
#else
    sp_int128 d = ((sp_int128)d1 << 61) + d0;
    sp_digit r = 0;
    sp_digit t;
    sp_digit dv = (div >> 30) + 1;

    t = (sp_digit)(d >> 60);
    t = (t / dv) << 30;
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)(d >> 29);
    t = t / (dv << 1);
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)d;
    t = t / div;
    r += t;
    d -= (sp_int128)t * div;
    return r;
#endif
}
static WC_INLINE sp_digit sp_2048_word_div_word_17(sp_digit d, sp_digit div)
{
#if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__) || \
    defined(SP_DIV_WORD_USE_DIV)
    return d / div;
#else
    return (sp_digit)((sp_uint64)(div - d) >> 63);
#endif
}
/* Divide d in a and put remainder into r (m*d + r = a)
 * m is not calculated as it is not needed at this time.
 *
 * Full implementation.
 *
 * a  Number to be divided.
 * d  Number to divide with.
 * m  Multiplier result.
 * r  Remainder from the division.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_2048_div_17(const sp_digit* a, const sp_digit* d,
        const sp_digit* m, sp_digit* r)
{
    int i;
#ifndef WOLFSSL_SP_DIV_64
#endif
    sp_digit dv;
    sp_digit r1;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* t1 = NULL;
#else
    sp_digit t1[4 * 17 + 3];
#endif
    sp_digit* t2 = NULL;
    sp_digit* sd = NULL;
    int err = MP_OKAY;

    (void)m;

#ifdef WOLFSSL_SP_SMALL_STACK
    t1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * (4 * 17 + 3), NULL,
                                                       DYNAMIC_TYPE_TMP_BUFFER);
    if (t1 == NULL)
        err = MEMORY_E;
#endif

    (void)m;

    if (err == MP_OKAY) {
        t2 = t1 + 34 + 1;
        sd = t2 + 17 + 1;

        sp_2048_mul_d_17(sd, d, (sp_digit)1 << 13);
        sp_2048_mul_d_34(t1, a, (sp_digit)1 << 13);
        dv = sd[16];
        t1[17 + 17] += t1[17 + 17 - 1] >> 61;
        t1[17 + 17 - 1] &= 0x1fffffffffffffffL;
        for (i=17; i>=0; i--) {
            r1 = sp_2048_div_word_17(t1[17 + i], t1[17 + i - 1], dv);

            sp_2048_mul_d_17(t2, sd, r1);
            (void)sp_2048_sub_17(&t1[i], &t1[i], t2);
            sp_2048_norm_17(&t1[i]);
            t1[17 + i] -= t2[17];
            t1[17 + i] += t1[17 + i - 1] >> 61;
            t1[17 + i - 1] &= 0x1fffffffffffffffL;
            r1 = sp_2048_div_word_17(-t1[17 + i], -t1[17 + i - 1], dv);
            r1 -= t1[17 + i];
            sp_2048_mul_d_17(t2, sd, r1);
            (void)sp_2048_add_17(&t1[i], &t1[i], t2);
            t1[17 + i] += t1[17 + i - 1] >> 61;
            t1[17 + i - 1] &= 0x1fffffffffffffffL;
        }
        t1[17 - 1] += t1[17 - 2] >> 61;
        t1[17 - 2] &= 0x1fffffffffffffffL;
        r1 = sp_2048_word_div_word_17(t1[17 - 1], dv);

        sp_2048_mul_d_17(t2, sd, r1);
        sp_2048_sub_17(t1, t1, t2);
        XMEMCPY(r, t1, sizeof(*r) * 34U);
        for (i=0; i<16; i++) {
            r[i+1] += r[i] >> 61;
            r[i] &= 0x1fffffffffffffffL;
        }
        sp_2048_cond_add_17(r, r, sd, r[16] >> 63);

        sp_2048_norm_17(r);
        sp_2048_rshift_17(r, r, 13);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t1 != NULL)
        XFREE(t1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
}

/* Reduce a modulo m into r. (r = a mod m)
 *
 * r  A single precision number that is the reduced result.
 * a  A single precision number that is to be reduced.
 * m  A single precision number that is the modulus to reduce with.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_2048_mod_17(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    return sp_2048_div_17(a, m, NULL, r);
}

/* Modular exponentiate a to the e mod m. (r = a^e mod m)
 *
 * r     A single precision number that is the result of the operation.
 * a     A single precision number being exponentiated.
 * e     A single precision number that is the exponent.
 * bits  The number of bits in the exponent.
 * m     A single precision number that is the modulus.
 * returns  0 on success.
 * returns  MEMORY_E on dynamic memory allocation failure.
 * returns  MP_VAL when base is even or exponent is 0.
 */
static int sp_2048_mod_exp_17(sp_digit* r, const sp_digit* a, const sp_digit* e,
    int bits, const sp_digit* m, int reduceA)
{
#if defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_FAST_MODEXP)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 34];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 17 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 17 * 2);
            XMEMSET(t[i], 0, sizeof(sp_digit) * 17U * 2U);
        }

        sp_2048_mont_setup(m, &mp);
        sp_2048_mont_norm_17(norm, m);

        if (reduceA != 0) {
            err = sp_2048_mod_17(t[1], a, m);
        }
        else {
            XMEMCPY(t[1], a, sizeof(sp_digit) * 17U);
        }
    }
    if (err == MP_OKAY) {
        sp_2048_mul_17(t[1], t[1], norm);
        err = sp_2048_mod_17(t[1], t[1], m);
    }

    if (err == MP_OKAY) {
        i = bits / 61;
        c = bits % 61;
        n = e[i--] << (61 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 61;
            }

            y = (int)((n >> 60) & 1);
            n <<= 1;

            sp_2048_mont_mul_17(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 17 * 2);
            sp_2048_mont_sqr_17(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 17 * 2);
        }

        sp_2048_mont_reduce_17(t[0], m, mp);
        n = sp_2048_cmp_17(t[0], m);
        sp_2048_cond_sub_17(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 17 * 2);

    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#elif !defined(WC_NO_CACHE_RESISTANT)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 34];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 17 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 17 * 2);
        }

        sp_2048_mont_setup(m, &mp);
        sp_2048_mont_norm_17(norm, m);

        if (reduceA != 0) {
            err = sp_2048_mod_17(t[1], a, m);
            if (err == MP_OKAY) {
                sp_2048_mul_17(t[1], t[1], norm);
                err = sp_2048_mod_17(t[1], t[1], m);
            }
        }
        else {
            sp_2048_mul_17(t[1], a, norm);
            err = sp_2048_mod_17(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        i = bits / 61;
        c = bits % 61;
        n = e[i--] << (61 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 61;
            }

            y = (int)((n >> 60) & 1);
            n <<= 1;

            sp_2048_mont_mul_17(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 17 * 2);
            sp_2048_mont_sqr_17(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 17 * 2);
        }

        sp_2048_mont_reduce_17(t[0], m, mp);
        n = sp_2048_cmp_17(t[0], m);
        sp_2048_cond_sub_17(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 17 * 2);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[(32 * 34) + 34];
#endif
    sp_digit* t[32];
    sp_digit* rt = NULL;
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * ((32 * 34) + 34), NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<32; i++)
            t[i] = td + i * 34;
        rt = td + 1088;

        sp_2048_mont_setup(m, &mp);
        sp_2048_mont_norm_17(norm, m);

        if (reduceA != 0) {
            err = sp_2048_mod_17(t[1], a, m);
            if (err == MP_OKAY) {
                sp_2048_mul_17(t[1], t[1], norm);
                err = sp_2048_mod_17(t[1], t[1], m);
            }
        }
        else {
            sp_2048_mul_17(t[1], a, norm);
            err = sp_2048_mod_17(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        sp_2048_mont_sqr_17(t[ 2], t[ 1], m, mp);
        sp_2048_mont_mul_17(t[ 3], t[ 2], t[ 1], m, mp);
        sp_2048_mont_sqr_17(t[ 4], t[ 2], m, mp);
        sp_2048_mont_mul_17(t[ 5], t[ 3], t[ 2], m, mp);
        sp_2048_mont_sqr_17(t[ 6], t[ 3], m, mp);
        sp_2048_mont_mul_17(t[ 7], t[ 4], t[ 3], m, mp);
        sp_2048_mont_sqr_17(t[ 8], t[ 4], m, mp);
        sp_2048_mont_mul_17(t[ 9], t[ 5], t[ 4], m, mp);
        sp_2048_mont_sqr_17(t[10], t[ 5], m, mp);
        sp_2048_mont_mul_17(t[11], t[ 6], t[ 5], m, mp);
        sp_2048_mont_sqr_17(t[12], t[ 6], m, mp);
        sp_2048_mont_mul_17(t[13], t[ 7], t[ 6], m, mp);
        sp_2048_mont_sqr_17(t[14], t[ 7], m, mp);
        sp_2048_mont_mul_17(t[15], t[ 8], t[ 7], m, mp);
        sp_2048_mont_sqr_17(t[16], t[ 8], m, mp);
        sp_2048_mont_mul_17(t[17], t[ 9], t[ 8], m, mp);
        sp_2048_mont_sqr_17(t[18], t[ 9], m, mp);
        sp_2048_mont_mul_17(t[19], t[10], t[ 9], m, mp);
        sp_2048_mont_sqr_17(t[20], t[10], m, mp);
        sp_2048_mont_mul_17(t[21], t[11], t[10], m, mp);
        sp_2048_mont_sqr_17(t[22], t[11], m, mp);
        sp_2048_mont_mul_17(t[23], t[12], t[11], m, mp);
        sp_2048_mont_sqr_17(t[24], t[12], m, mp);
        sp_2048_mont_mul_17(t[25], t[13], t[12], m, mp);
        sp_2048_mont_sqr_17(t[26], t[13], m, mp);
        sp_2048_mont_mul_17(t[27], t[14], t[13], m, mp);
        sp_2048_mont_sqr_17(t[28], t[14], m, mp);
        sp_2048_mont_mul_17(t[29], t[15], t[14], m, mp);
        sp_2048_mont_sqr_17(t[30], t[15], m, mp);
        sp_2048_mont_mul_17(t[31], t[16], t[15], m, mp);

        bits = ((bits + 4) / 5) * 5;
        i = ((bits + 60) / 61) - 1;
        c = bits % 61;
        if (c == 0) {
            c = 61;
        }
        if (i < 17) {
            n = e[i--] << (64 - c);
        }
        else {
            n = 0;
            i--;
        }
        if (c < 5) {
            n |= e[i--] << (3 - c);
            c += 61;
        }
        y = (int)((n >> 59) & 0x1f);
        n <<= 5;
        c -= 5;
        XMEMCPY(rt, t[y], sizeof(sp_digit) * 34);
        while ((i >= 0) || (c >= 5)) {
            if (c >= 5) {
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c -= 5;
            }
            else if (c == 0) {
                n = e[i--] << 3;
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c = 56;
            }
            else {
                y = (byte)((n >> 59) & 0x1f);
                n = e[i--] << 3;
                c = 5 - c;
                y |= (byte)((n >> (64 - c)) & ((1 << c) - 1));
                n <<= c;
                c = 61 - c;
            }

            sp_2048_mont_sqr_17(rt, rt, m, mp);
            sp_2048_mont_sqr_17(rt, rt, m, mp);
            sp_2048_mont_sqr_17(rt, rt, m, mp);
            sp_2048_mont_sqr_17(rt, rt, m, mp);
            sp_2048_mont_sqr_17(rt, rt, m, mp);

            sp_2048_mont_mul_17(rt, rt, t[y], m, mp);
        }

        sp_2048_mont_reduce_17(rt, m, mp);
        n = sp_2048_cmp_17(rt, m);
        sp_2048_cond_sub_17(rt, rt, m, ~(n >> 63));
        XMEMCPY(r, rt, sizeof(sp_digit) * 34);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#endif
}

#endif /* (WOLFSSL_HAVE_SP_RSA & !WOLFSSL_RSA_PUBLIC_ONLY) | WOLFSSL_HAVE_SP_DH */

/* Sub b from a into r. (r = a - b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_2048_sub_34(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 34; i++) {
        r[i] = a[i] - b[i];
    }

    return 0;
}

/* r = 2^n mod m where n is the number of bits to reduce by.
 * Given m must be 2048 bits, just need to subtract.
 *
 * r  A single precision number.
 * m  A single precision number.
 */
static void sp_2048_mont_norm_34(sp_digit* r, const sp_digit* m)
{
    /* Set r = 2^n - 1. */
    int i;

    for (i=0; i<33; i++) {
        r[i] = 0x1fffffffffffffffL;
    }
    r[33] = 0x7ffffffffL;

    /* r = (2^n - 1) mod n */
    (void)sp_2048_sub_34(r, r, m);

    /* Add one so r = 2^n mod m */
    r[0] += 1;
}

/* Compare a with b in constant time.
 *
 * a  A single precision integer.
 * b  A single precision integer.
 * return -ve, 0 or +ve if a is less than, equal to or greater than b
 * respectively.
 */
static sp_digit sp_2048_cmp_34(const sp_digit* a, const sp_digit* b)
{
    sp_digit r = 0;
    int i;

    for (i=33; i>=0; i--) {
        r |= (a[i] - b[i]) & ~(((sp_digit)0 - r) >> 60);
    }

    return r;
}

/* Conditionally subtract b from a using the mask m.
 * m is -1 to subtract and 0 when not.
 *
 * r  A single precision number representing condition subtract result.
 * a  A single precision number to subtract from.
 * b  A single precision number to subtract.
 * m  Mask value to apply.
 */
static void sp_2048_cond_sub_34(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 34; i++) {
        r[i] = a[i] - (b[i] & m);
    }
}

/* Mul a by scalar b and add into r. (r += a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_2048_mul_add_34(sp_digit* r, const sp_digit* a,
        const sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t[4];
    int i;

    t[0] = 0;
    for (i = 0; i < 32; i += 4) {
        t[0] += (tb * a[i+0]) + r[i+0];
        t[1]  = (tb * a[i+1]) + r[i+1];
        t[2]  = (tb * a[i+2]) + r[i+2];
        t[3]  = (tb * a[i+3]) + r[i+3];
        r[i+0] = t[0] & 0x1fffffffffffffffL;
        t[1] += t[0] >> 61;
        r[i+1] = t[1] & 0x1fffffffffffffffL;
        t[2] += t[1] >> 61;
        r[i+2] = t[2] & 0x1fffffffffffffffL;
        t[3] += t[2] >> 61;
        r[i+3] = t[3] & 0x1fffffffffffffffL;
        t[0]  = t[3] >> 61;
    }
    t[0] += (tb * a[32]) + r[32];
    t[1]  = (tb * a[33]) + r[33];
    r[32] = t[0] & 0x1fffffffffffffffL;
    t[1] += t[0] >> 61;
    r[33] = t[1] & 0x1fffffffffffffffL;
    r[34] +=  (sp_digit)(t[1] >> 61);
}

/* Shift the result in the high 2048 bits down to the bottom.
 *
 * r  A single precision number.
 * a  A single precision number.
 */
static void sp_2048_mont_shift_34(sp_digit* r, const sp_digit* a)
{
    int i;
    sp_int128 n = a[33] >> 35;
    n += ((sp_int128)a[34]) << 26;

    for (i = 0; i < 33; i++) {
        r[i] = n & 0x1fffffffffffffffL;
        n >>= 61;
        n += ((sp_int128)a[35 + i]) << 26;
    }
    r[33] = (sp_digit)n;
    XMEMSET(&r[34], 0, sizeof(*r) * 34U);
}

/* Reduce the number back to 2048 bits using Montgomery reduction.
 *
 * a   A single precision number to reduce in place.
 * m   The single precision number representing the modulus.
 * mp  The digit representing the negative inverse of m mod 2^n.
 */
static void sp_2048_mont_reduce_34(sp_digit* a, const sp_digit* m, sp_digit mp)
{
    int i;
    sp_digit mu;
    sp_digit over;

    sp_2048_norm_34(a + 34);

#ifdef WOLFSSL_SP_DH
    if (mp != 1) {
        for (i=0; i<33; i++) {
            mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x1fffffffffffffffL;
            sp_2048_mul_add_34(a+i, m, mu);
            a[i+1] += a[i] >> 61;
        }
        mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x7ffffffffL;
        sp_2048_mul_add_34(a+i, m, mu);
        a[i+1] += a[i] >> 61;
        a[i] &= 0x1fffffffffffffffL;
    }
    else {
        for (i=0; i<33; i++) {
            mu = a[i] & 0x1fffffffffffffffL;
            sp_2048_mul_add_34(a+i, m, mu);
            a[i+1] += a[i] >> 61;
        }
        mu = a[i] & 0x7ffffffffL;
        sp_2048_mul_add_34(a+i, m, mu);
        a[i+1] += a[i] >> 61;
        a[i] &= 0x1fffffffffffffffL;
    }
#else
    for (i=0; i<33; i++) {
        mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x1fffffffffffffffL;
        sp_2048_mul_add_34(a+i, m, mu);
        a[i+1] += a[i] >> 61;
    }
    mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x7ffffffffL;
    sp_2048_mul_add_34(a+i, m, mu);
    a[i+1] += a[i] >> 61;
    a[i] &= 0x1fffffffffffffffL;
#endif
    sp_2048_mont_shift_34(a, a);
    over = a[33] - m[33];
    sp_2048_cond_sub_34(a, a, m, ~((over - 1) >> 63));
    sp_2048_norm_34(a);
}

/* Multiply two Montgomery form numbers mod the modulus (prime).
 * (r = a * b mod m)
 *
 * r   Result of multiplication.
 * a   First number to multiply in Montgomery form.
 * b   Second number to multiply in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_2048_mont_mul_34(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit* m, sp_digit mp)
{
    sp_2048_mul_34(r, a, b);
    sp_2048_mont_reduce_34(r, m, mp);
}

/* Square the Montgomery form number. (r = a * a mod m)
 *
 * r   Result of squaring.
 * a   Number to square in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_2048_mont_sqr_34(sp_digit* r, const sp_digit* a,
        const sp_digit* m, sp_digit mp)
{
    sp_2048_sqr_34(r, a);
    sp_2048_mont_reduce_34(r, m, mp);
}

/* Multiply a by scalar b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_2048_mul_d_68(sp_digit* r, const sp_digit* a,
    sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t = 0;
    int i;

    for (i = 0; i < 68; i++) {
        t += tb * a[i];
        r[i] = (sp_digit)(t & 0x1fffffffffffffffL);
        t >>= 61;
    }
    r[68] = (sp_digit)t;
}

#ifdef WOLFSSL_SP_SMALL
/* Conditionally add a and b using the mask m.
 * m is -1 to add and 0 when not.
 *
 * r  A single precision number representing conditional add result.
 * a  A single precision number to add with.
 * b  A single precision number to add.
 * m  Mask value to apply.
 */
static void sp_2048_cond_add_34(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 34; i++) {
        r[i] = a[i] + (b[i] & m);
    }
}
#endif /* WOLFSSL_SP_SMALL */

/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_2048_add_34(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 34; i++) {
        r[i] = a[i] + b[i];
    }

    return 0;
}

SP_NOINLINE static void sp_2048_rshift_34(sp_digit* r, const sp_digit* a,
        byte n)
{
    int i;

    for (i=0; i<33; i++) {
        r[i] = ((a[i] >> n) | (a[i + 1] << (61 - n))) & 0x1fffffffffffffffL;
    }
    r[33] = a[33] >> n;
}

static WC_INLINE sp_digit sp_2048_div_word_34(sp_digit d1, sp_digit d0,
    sp_digit div)
{
#ifdef SP_USE_DIVTI3
    sp_int128 d = ((sp_int128)d1 << 61) + d0;

    return d / div;
#elif defined(__x86_64__) || defined(__i386__)
    sp_int128 d = ((sp_int128)d1 << 61) + d0;
    sp_uint64 lo = (sp_uint64)d;
    sp_digit hi = (sp_digit)(d >> 64);

    __asm__ __volatile__ (
        "idiv %2"
        : "+a" (lo)
        : "d" (hi), "r" (div)
        : "cc"
    );

    return (sp_digit)lo;
#elif !defined(__aarch64__) &&  !defined(SP_DIV_WORD_USE_DIV)
    sp_int128 d = ((sp_int128)d1 << 61) + d0;
    sp_digit dv = (div >> 1) + 1;
    sp_digit t1 = (sp_digit)(d >> 61);
    sp_digit t0 = (sp_digit)(d & 0x1fffffffffffffffL);
    sp_digit t2;
    sp_digit sign;
    sp_digit r;
    int i;
    sp_int128 m;

    r = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
    t1 -= dv & (0 - r);
    for (i = 59; i >= 1; i--) {
        t1 += t1 + (((sp_uint64)t0 >> 60) & 1);
        t0 <<= 1;
        t2 = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
        r += r + t2;
        t1 -= dv & (0 - t2);
        t1 += t2;
    }
    r += r + 1;

    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 61);
    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 122) - (sp_digit)(d >> 122);

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;
   return r;
#else
    sp_int128 d = ((sp_int128)d1 << 61) + d0;
    sp_digit r = 0;
    sp_digit t;
    sp_digit dv = (div >> 30) + 1;

    t = (sp_digit)(d >> 60);
    t = (t / dv) << 30;
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)(d >> 29);
    t = t / (dv << 1);
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)d;
    t = t / div;
    r += t;
    d -= (sp_int128)t * div;
    return r;
#endif
}
static WC_INLINE sp_digit sp_2048_word_div_word_34(sp_digit d, sp_digit div)
{
#if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__) || \
    defined(SP_DIV_WORD_USE_DIV)
    return d / div;
#else
    return (sp_digit)((sp_uint64)(div - d) >> 63);
#endif
}
/* Divide d in a and put remainder into r (m*d + r = a)
 * m is not calculated as it is not needed at this time.
 *
 * Full implementation.
 *
 * a  Number to be divided.
 * d  Number to divide with.
 * m  Multiplier result.
 * r  Remainder from the division.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_2048_div_34(const sp_digit* a, const sp_digit* d,
        const sp_digit* m, sp_digit* r)
{
    int i;
#ifndef WOLFSSL_SP_DIV_64
#endif
    sp_digit dv;
    sp_digit r1;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* t1 = NULL;
#else
    sp_digit t1[4 * 34 + 3];
#endif
    sp_digit* t2 = NULL;
    sp_digit* sd = NULL;
    int err = MP_OKAY;

    (void)m;

#ifdef WOLFSSL_SP_SMALL_STACK
    t1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * (4 * 34 + 3), NULL,
                                                       DYNAMIC_TYPE_TMP_BUFFER);
    if (t1 == NULL)
        err = MEMORY_E;
#endif

    (void)m;

    if (err == MP_OKAY) {
        t2 = t1 + 68 + 1;
        sd = t2 + 34 + 1;

        sp_2048_mul_d_34(sd, d, (sp_digit)1 << 26);
        sp_2048_mul_d_68(t1, a, (sp_digit)1 << 26);
        dv = sd[33];
        t1[34 + 34] += t1[34 + 34 - 1] >> 61;
        t1[34 + 34 - 1] &= 0x1fffffffffffffffL;
        for (i=34; i>=0; i--) {
            r1 = sp_2048_div_word_34(t1[34 + i], t1[34 + i - 1], dv);

            sp_2048_mul_d_34(t2, sd, r1);
            (void)sp_2048_sub_34(&t1[i], &t1[i], t2);
            sp_2048_norm_34(&t1[i]);
            t1[34 + i] -= t2[34];
            t1[34 + i] += t1[34 + i - 1] >> 61;
            t1[34 + i - 1] &= 0x1fffffffffffffffL;
            r1 = sp_2048_div_word_34(-t1[34 + i], -t1[34 + i - 1], dv);
            r1 -= t1[34 + i];
            sp_2048_mul_d_34(t2, sd, r1);
            (void)sp_2048_add_34(&t1[i], &t1[i], t2);
            t1[34 + i] += t1[34 + i - 1] >> 61;
            t1[34 + i - 1] &= 0x1fffffffffffffffL;
        }
        t1[34 - 1] += t1[34 - 2] >> 61;
        t1[34 - 2] &= 0x1fffffffffffffffL;
        r1 = sp_2048_word_div_word_34(t1[34 - 1], dv);

        sp_2048_mul_d_34(t2, sd, r1);
        sp_2048_sub_34(t1, t1, t2);
        XMEMCPY(r, t1, sizeof(*r) * 68U);
        for (i=0; i<33; i++) {
            r[i+1] += r[i] >> 61;
            r[i] &= 0x1fffffffffffffffL;
        }
        sp_2048_cond_add_34(r, r, sd, r[33] >> 63);

        sp_2048_norm_34(r);
        sp_2048_rshift_34(r, r, 26);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t1 != NULL)
        XFREE(t1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
}

/* Reduce a modulo m into r. (r = a mod m)
 *
 * r  A single precision number that is the reduced result.
 * a  A single precision number that is to be reduced.
 * m  A single precision number that is the modulus to reduce with.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_2048_mod_34(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    return sp_2048_div_34(a, m, NULL, r);
}

#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(WOLFSSL_HAVE_SP_DH)
/* Modular exponentiate a to the e mod m. (r = a^e mod m)
 *
 * r     A single precision number that is the result of the operation.
 * a     A single precision number being exponentiated.
 * e     A single precision number that is the exponent.
 * bits  The number of bits in the exponent.
 * m     A single precision number that is the modulus.
 * returns  0 on success.
 * returns  MEMORY_E on dynamic memory allocation failure.
 * returns  MP_VAL when base is even or exponent is 0.
 */
static int sp_2048_mod_exp_34(sp_digit* r, const sp_digit* a, const sp_digit* e,
    int bits, const sp_digit* m, int reduceA)
{
#if defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_FAST_MODEXP)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 68];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 34 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 34 * 2);
            XMEMSET(t[i], 0, sizeof(sp_digit) * 34U * 2U);
        }

        sp_2048_mont_setup(m, &mp);
        sp_2048_mont_norm_34(norm, m);

        if (reduceA != 0) {
            err = sp_2048_mod_34(t[1], a, m);
        }
        else {
            XMEMCPY(t[1], a, sizeof(sp_digit) * 34U);
        }
    }
    if (err == MP_OKAY) {
        sp_2048_mul_34(t[1], t[1], norm);
        err = sp_2048_mod_34(t[1], t[1], m);
    }

    if (err == MP_OKAY) {
        i = bits / 61;
        c = bits % 61;
        n = e[i--] << (61 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 61;
            }

            y = (int)((n >> 60) & 1);
            n <<= 1;

            sp_2048_mont_mul_34(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 34 * 2);
            sp_2048_mont_sqr_34(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 34 * 2);
        }

        sp_2048_mont_reduce_34(t[0], m, mp);
        n = sp_2048_cmp_34(t[0], m);
        sp_2048_cond_sub_34(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 34 * 2);

    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#elif !defined(WC_NO_CACHE_RESISTANT)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 68];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 34 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 34 * 2);
        }

        sp_2048_mont_setup(m, &mp);
        sp_2048_mont_norm_34(norm, m);

        if (reduceA != 0) {
            err = sp_2048_mod_34(t[1], a, m);
            if (err == MP_OKAY) {
                sp_2048_mul_34(t[1], t[1], norm);
                err = sp_2048_mod_34(t[1], t[1], m);
            }
        }
        else {
            sp_2048_mul_34(t[1], a, norm);
            err = sp_2048_mod_34(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        i = bits / 61;
        c = bits % 61;
        n = e[i--] << (61 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 61;
            }

            y = (int)((n >> 60) & 1);
            n <<= 1;

            sp_2048_mont_mul_34(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 34 * 2);
            sp_2048_mont_sqr_34(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 34 * 2);
        }

        sp_2048_mont_reduce_34(t[0], m, mp);
        n = sp_2048_cmp_34(t[0], m);
        sp_2048_cond_sub_34(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 34 * 2);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[(16 * 68) + 68];
#endif
    sp_digit* t[16];
    sp_digit* rt = NULL;
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * ((16 * 68) + 68), NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<16; i++)
            t[i] = td + i * 68;
        rt = td + 1088;

        sp_2048_mont_setup(m, &mp);
        sp_2048_mont_norm_34(norm, m);

        if (reduceA != 0) {
            err = sp_2048_mod_34(t[1], a, m);
            if (err == MP_OKAY) {
                sp_2048_mul_34(t[1], t[1], norm);
                err = sp_2048_mod_34(t[1], t[1], m);
            }
        }
        else {
            sp_2048_mul_34(t[1], a, norm);
            err = sp_2048_mod_34(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        sp_2048_mont_sqr_34(t[ 2], t[ 1], m, mp);
        sp_2048_mont_mul_34(t[ 3], t[ 2], t[ 1], m, mp);
        sp_2048_mont_sqr_34(t[ 4], t[ 2], m, mp);
        sp_2048_mont_mul_34(t[ 5], t[ 3], t[ 2], m, mp);
        sp_2048_mont_sqr_34(t[ 6], t[ 3], m, mp);
        sp_2048_mont_mul_34(t[ 7], t[ 4], t[ 3], m, mp);
        sp_2048_mont_sqr_34(t[ 8], t[ 4], m, mp);
        sp_2048_mont_mul_34(t[ 9], t[ 5], t[ 4], m, mp);
        sp_2048_mont_sqr_34(t[10], t[ 5], m, mp);
        sp_2048_mont_mul_34(t[11], t[ 6], t[ 5], m, mp);
        sp_2048_mont_sqr_34(t[12], t[ 6], m, mp);
        sp_2048_mont_mul_34(t[13], t[ 7], t[ 6], m, mp);
        sp_2048_mont_sqr_34(t[14], t[ 7], m, mp);
        sp_2048_mont_mul_34(t[15], t[ 8], t[ 7], m, mp);

        bits = ((bits + 3) / 4) * 4;
        i = ((bits + 60) / 61) - 1;
        c = bits % 61;
        if (c == 0) {
            c = 61;
        }
        if (i < 34) {
            n = e[i--] << (64 - c);
        }
        else {
            n = 0;
            i--;
        }
        if (c < 4) {
            n |= e[i--] << (3 - c);
            c += 61;
        }
        y = (int)((n >> 60) & 0xf);
        n <<= 4;
        c -= 4;
        XMEMCPY(rt, t[y], sizeof(sp_digit) * 68);
        while ((i >= 0) || (c >= 4)) {
            if (c >= 4) {
                y = (byte)((n >> 60) & 0xf);
                n <<= 4;
                c -= 4;
            }
            else if (c == 0) {
                n = e[i--] << 3;
                y = (byte)((n >> 60) & 0xf);
                n <<= 4;
                c = 57;
            }
            else {
                y = (byte)((n >> 60) & 0xf);
                n = e[i--] << 3;
                c = 4 - c;
                y |= (byte)((n >> (64 - c)) & ((1 << c) - 1));
                n <<= c;
                c = 61 - c;
            }

            sp_2048_mont_sqr_34(rt, rt, m, mp);
            sp_2048_mont_sqr_34(rt, rt, m, mp);
            sp_2048_mont_sqr_34(rt, rt, m, mp);
            sp_2048_mont_sqr_34(rt, rt, m, mp);

            sp_2048_mont_mul_34(rt, rt, t[y], m, mp);
        }

        sp_2048_mont_reduce_34(rt, m, mp);
        n = sp_2048_cmp_34(rt, m);
        sp_2048_cond_sub_34(rt, rt, m, ~(n >> 63));
        XMEMCPY(r, rt, sizeof(sp_digit) * 68);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#endif
}

#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
#ifdef WOLFSSL_HAVE_SP_RSA
/* RSA public key operation.
 *
 * in      Array of bytes representing the number to exponentiate, base.
 * inLen   Number of bytes in base.
 * em      Public exponent.
 * mm      Modulus.
 * out     Buffer to hold big-endian bytes of exponentiation result.
 *         Must be at least 256 bytes long.
 * outLen  Number of bytes in result.
 * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
 * an array is too long and MEMORY_E when dynamic memory allocation fails.
 */
int sp_RsaPublic_2048(const byte* in, word32 inLen, const mp_int* em,
    const mp_int* mm, byte* out, word32* outLen)
{
#ifdef WOLFSSL_SP_SMALL
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* a = NULL;
#else
    sp_digit a[34 * 5];
#endif
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    sp_digit* norm = NULL;
    sp_uint64 e[1] = {0};
    sp_digit mp = 0;
    int i;
    int err = MP_OKAY;

    if (*outLen < 256U) {
        err = MP_TO_E;
    }

    if (err == MP_OKAY) {
        if (mp_count_bits(em) > 64) {
            err = MP_READ_E;
        }
        else if (inLen > 256U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 2048) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        a = (sp_digit*)XMALLOC(sizeof(sp_digit) * 34 * 5, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (a == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        r = a + 34 * 2;
        m = r + 34 * 2;
        norm = r;

        sp_2048_from_bin(a, 34, in, inLen);
#if DIGIT_BIT >= 64
        e[0] = (sp_uint64)em->dp[0];
#else
        e[0] = (sp_uint64)em->dp[0];
        if (em->used > 1) {
            e[0] |= ((sp_uint64)em->dp[1]) << DIGIT_BIT;
        }
#endif
        if (e[0] == 0) {
            err = MP_EXPTMOD_E;
        }
    }

    if (err == MP_OKAY) {
        sp_2048_from_mp(m, 34, mm);

        sp_2048_mont_setup(m, &mp);
        sp_2048_mont_norm_34(norm, m);
    }
    if (err == MP_OKAY) {
        sp_2048_mul_34(a, a, norm);
        err = sp_2048_mod_34(a, a, m);
    }
    if (err == MP_OKAY) {
        for (i=63; i>=0; i--) {
            if ((e[0] >> i) != 0) {
                break;
            }
        }

        XMEMCPY(r, a, sizeof(sp_digit) * 34 * 2);
        for (i--; i>=0; i--) {
            sp_2048_mont_sqr_34(r, r, m, mp);

            if (((e[0] >> i) & 1) == 1) {
                sp_2048_mont_mul_34(r, r, a, m, mp);
            }
        }
        sp_2048_mont_reduce_34(r, m, mp);
        mp = sp_2048_cmp_34(r, m);
        sp_2048_cond_sub_34(r, r, m, ~(mp >> 63));

        sp_2048_to_bin_34(r, out);
        *outLen = 256;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (a != NULL)
        XFREE(a, NULL, DYNAMIC_TYPE_RSA);
#endif

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* d = NULL;
#else
    sp_digit d[34 * 5];
#endif
    sp_digit* a = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    sp_uint64 e[1] = {0};
    int err = MP_OKAY;

    if (*outLen < 256U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (mp_count_bits(em) > 64) {
            err = MP_READ_E;
        }
        else if (inLen > 256U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 2048) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 34 * 5, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (d == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        a = d;
        r = a + 34 * 2;
        m = r + 34 * 2;

        sp_2048_from_bin(a, 34, in, inLen);
#if DIGIT_BIT >= 64
        e[0] = (sp_uint64)em->dp[0];
#else
        e[0] = (sp_uint64)em->dp[0];
        if (em->used > 1) {
            e[0] |= ((sp_uint64)em->dp[1]) << DIGIT_BIT;
        }
#endif
        if (e[0] == 0) {
            err = MP_EXPTMOD_E;
        }
    }
    if (err == MP_OKAY) {
        sp_2048_from_mp(m, 34, mm);

        if (e[0] == 0x3) {
            sp_2048_sqr_34(r, a);
            err = sp_2048_mod_34(r, r, m);
            if (err == MP_OKAY) {
                sp_2048_mul_34(r, a, r);
                err = sp_2048_mod_34(r, r, m);
            }
        }
        else {
            sp_digit* norm = r;
            int i;
            sp_digit mp;

            sp_2048_mont_setup(m, &mp);
            sp_2048_mont_norm_34(norm, m);

            sp_2048_mul_34(a, a, norm);
            err = sp_2048_mod_34(a, a, m);

            if (err == MP_OKAY) {
                for (i=63; i>=0; i--) {
                    if ((e[0] >> i) != 0) {
                        break;
                    }
                }

                XMEMCPY(r, a, sizeof(sp_digit) * 68U);
                for (i--; i>=0; i--) {
                    sp_2048_mont_sqr_34(r, r, m, mp);

                    if (((e[0] >> i) & 1) == 1) {
                        sp_2048_mont_mul_34(r, r, a, m, mp);
                    }
                }
                sp_2048_mont_reduce_34(r, m, mp);
                mp = sp_2048_cmp_34(r, m);
                sp_2048_cond_sub_34(r, r, m, ~(mp >> 63));
            }
        }
    }

    if (err == MP_OKAY) {
        sp_2048_to_bin_34(r, out);
        *outLen = 256;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (d != NULL)
        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
#endif

    return err;
#endif /* WOLFSSL_SP_SMALL */
}

#ifndef WOLFSSL_RSA_PUBLIC_ONLY
#if !defined(SP_RSA_PRIVATE_EXP_D) && !defined(RSA_LOW_MEM)
#endif /* !SP_RSA_PRIVATE_EXP_D & !RSA_LOW_MEM */
/* RSA private key operation.
 *
 * in      Array of bytes representing the number to exponentiate, base.
 * inLen   Number of bytes in base.
 * dm      Private exponent.
 * pm      First prime.
 * qm      Second prime.
 * dpm     First prime's CRT exponent.
 * dqm     Second prime's CRT exponent.
 * qim     Inverse of second prime mod p.
 * mm      Modulus.
 * out     Buffer to hold big-endian bytes of exponentiation result.
 *         Must be at least 256 bytes long.
 * outLen  Number of bytes in result.
 * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
 * an array is too long and MEMORY_E when dynamic memory allocation fails.
 */
int sp_RsaPrivate_2048(const byte* in, word32 inLen, const mp_int* dm,
    const mp_int* pm, const mp_int* qm, const mp_int* dpm, const mp_int* dqm,
    const mp_int* qim, const mp_int* mm, byte* out, word32* outLen)
{
#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
#if defined(WOLFSSL_SP_SMALL)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* d = NULL;
#else
    sp_digit  d[34 * 4];
#endif
    sp_digit* a = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)pm;
    (void)qm;
    (void)dpm;
    (void)dqm;
    (void)qim;

    if (*outLen < 256U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (mp_count_bits(dm) > 2048) {
           err = MP_READ_E;
        }
        else if (inLen > 256) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 2048) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 34 * 4, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (d == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        a = d + 34;
        m = a + 68;
        r = a;

        sp_2048_from_bin(a, 34, in, inLen);
        sp_2048_from_mp(d, 34, dm);
        sp_2048_from_mp(m, 34, mm);
        err = sp_2048_mod_exp_34(r, a, d, 2048, m, 0);
    }

    if (err == MP_OKAY) {
        sp_2048_to_bin_34(r, out);
        *outLen = 256;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (d != NULL)
#endif
    {
        /* only "a" and "r" are sensitive and need zeroized (same pointer) */
        if (a != NULL)
            ForceZero(a, sizeof(sp_digit) * 34);
#ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
#endif
    }

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* d = NULL;
#else
    sp_digit d[34 * 4];
#endif
    sp_digit* a = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)pm;
    (void)qm;
    (void)dpm;
    (void)dqm;
    (void)qim;

    if (*outLen < 256U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (mp_count_bits(dm) > 2048) {
            err = MP_READ_E;
        }
        else if (inLen > 256U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 2048) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 34 * 4, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (d == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        a = d + 34;
        m = a + 68;
        r = a;

        sp_2048_from_bin(a, 34, in, inLen);
        sp_2048_from_mp(d, 34, dm);
        sp_2048_from_mp(m, 34, mm);
        err = sp_2048_mod_exp_34(r, a, d, 2048, m, 0);
    }

    if (err == MP_OKAY) {
        sp_2048_to_bin_34(r, out);
        *outLen = 256;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (d != NULL)
#endif
    {
        /* only "a" and "r" are sensitive and need zeroized (same pointer) */
        if (a != NULL)
            ForceZero(a, sizeof(sp_digit) * 34);
#ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
#endif
    }

    return err;
#endif /* WOLFSSL_SP_SMALL */
#else
#if defined(WOLFSSL_SP_SMALL)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* a = NULL;
#else
    sp_digit a[17 * 8];
#endif
    sp_digit* p = NULL;
    sp_digit* dp = NULL;
    sp_digit* dq = NULL;
    sp_digit* qi = NULL;
    sp_digit* tmpa = NULL;
    sp_digit* tmpb = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)dm;
    (void)mm;

    if (*outLen < 256U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (inLen > 256) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 2048) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(pm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(qm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        a = (sp_digit*)XMALLOC(sizeof(sp_digit) * 17 * 8, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (a == NULL)
            err = MEMORY_E;
    }
#endif
    if (err == MP_OKAY) {
        p = a + 34;
        qi = dq = dp = p + 17;
        tmpa = qi + 17;
        tmpb = tmpa + 34;
        r = a;

        sp_2048_from_bin(a, 34, in, inLen);
        sp_2048_from_mp(p, 17, pm);
        sp_2048_from_mp(dp, 17, dpm);
        err = sp_2048_mod_exp_17(tmpa, a, dp, 1024, p, 1);
    }
    if (err == MP_OKAY) {
        sp_2048_from_mp(p, 17, qm);
        sp_2048_from_mp(dq, 17, dqm);
        err = sp_2048_mod_exp_17(tmpb, a, dq, 1024, p, 1);
    }
    if (err == MP_OKAY) {
        sp_2048_from_mp(p, 17, pm);
        (void)sp_2048_sub_17(tmpa, tmpa, tmpb);
        sp_2048_norm_17(tmpa);
        sp_2048_cond_add_17(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[16] >> 63));
        sp_2048_cond_add_17(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[16] >> 63));
        sp_2048_norm_17(tmpa);

        sp_2048_from_mp(qi, 17, qim);
        sp_2048_mul_17(tmpa, tmpa, qi);
        err = sp_2048_mod_17(tmpa, tmpa, p);
    }

    if (err == MP_OKAY) {
        sp_2048_from_mp(p, 17, qm);
        sp_2048_mul_17(tmpa, p, tmpa);
        (void)sp_2048_add_34(r, tmpb, tmpa);
        sp_2048_norm_34(r);

        sp_2048_to_bin_34(r, out);
        *outLen = 256;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (a != NULL)
#endif
    {
        ForceZero(a, sizeof(sp_digit) * 17 * 8);
#ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(a, NULL, DYNAMIC_TYPE_RSA);
#endif
    }

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* a = NULL;
#else
    sp_digit a[17 * 13];
#endif
    sp_digit* p = NULL;
    sp_digit* q = NULL;
    sp_digit* dp = NULL;
    sp_digit* dq = NULL;
    sp_digit* qi = NULL;
    sp_digit* tmpa = NULL;
    sp_digit* tmpb = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)dm;
    (void)mm;

    if (*outLen < 256U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (inLen > 256U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 2048) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(pm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(qm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        a = (sp_digit*)XMALLOC(sizeof(sp_digit) * 17 * 13, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (a == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        p = a + 34 * 2;
        q = p + 17;
        dp = q + 17;
        dq = dp + 17;
        qi = dq + 17;
        tmpa = qi + 17;
        tmpb = tmpa + 34;
        r = a;

        sp_2048_from_bin(a, 34, in, inLen);
        sp_2048_from_mp(p, 17, pm);
        sp_2048_from_mp(q, 17, qm);
        sp_2048_from_mp(dp, 17, dpm);
        sp_2048_from_mp(dq, 17, dqm);
        sp_2048_from_mp(qi, 17, qim);

        err = sp_2048_mod_exp_17(tmpa, a, dp, 1024, p, 1);
    }
    if (err == MP_OKAY) {
        err = sp_2048_mod_exp_17(tmpb, a, dq, 1024, q, 1);
    }

    if (err == MP_OKAY) {
        (void)sp_2048_sub_17(tmpa, tmpa, tmpb);
        sp_2048_norm_17(tmpa);
        sp_2048_cond_add_17(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[16] >> 63));
        sp_2048_cond_add_17(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[16] >> 63));
        sp_2048_norm_17(tmpa);
        sp_2048_mul_17(tmpa, tmpa, qi);
        err = sp_2048_mod_17(tmpa, tmpa, p);
    }

    if (err == MP_OKAY) {
        sp_2048_mul_17(tmpa, tmpa, q);
        (void)sp_2048_add_34(r, tmpb, tmpa);
        sp_2048_norm_34(r);

        sp_2048_to_bin_34(r, out);
        *outLen = 256;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
if (a != NULL)
#endif
    {
        ForceZero(a, sizeof(sp_digit) * 17 * 13);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(a, NULL, DYNAMIC_TYPE_RSA);
    #endif
    }

    return err;
#endif /* WOLFSSL_SP_SMALL */
#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
}

#endif /* !WOLFSSL_RSA_PUBLIC_ONLY */
#endif /* WOLFSSL_HAVE_SP_RSA */
#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
/* Convert an array of sp_digit to an mp_int.
 *
 * a  A single precision integer.
 * r  A multi-precision integer.
 */
static int sp_2048_to_mp(const sp_digit* a, mp_int* r)
{
    int err;

    err = mp_grow(r, (2048 + DIGIT_BIT - 1) / DIGIT_BIT);
    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
#if DIGIT_BIT == 61
        XMEMCPY(r->dp, a, sizeof(sp_digit) * 34);
        r->used = 34;
        mp_clamp(r);
#elif DIGIT_BIT < 61
        int i;
        int j = 0;
        int s = 0;

        r->dp[0] = 0;
        for (i = 0; i < 34; i++) {
            r->dp[j] |= (mp_digit)(a[i] << s);
            r->dp[j] &= ((sp_digit)1 << DIGIT_BIT) - 1;
            s = DIGIT_BIT - s;
            r->dp[++j] = (mp_digit)(a[i] >> s);
            while (s + DIGIT_BIT <= 61) {
                s += DIGIT_BIT;
                r->dp[j++] &= ((sp_digit)1 << DIGIT_BIT) - 1;
                if (s == SP_WORD_SIZE) {
                    r->dp[j] = 0;
                }
                else {
                    r->dp[j] = (mp_digit)(a[i] >> s);
                }
            }
            s = 61 - s;
        }
        r->used = (2048 + DIGIT_BIT - 1) / DIGIT_BIT;
        mp_clamp(r);
#else
        int i;
        int j = 0;
        int s = 0;

        r->dp[0] = 0;
        for (i = 0; i < 34; i++) {
            r->dp[j] |= ((mp_digit)a[i]) << s;
            if (s + 61 >= DIGIT_BIT) {
    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
                r->dp[j] &= ((sp_digit)1 << DIGIT_BIT) - 1;
    #endif
                s = DIGIT_BIT - s;
                r->dp[++j] = a[i] >> s;
                s = 61 - s;
            }
            else {
                s += 61;
            }
        }
        r->used = (2048 + DIGIT_BIT - 1) / DIGIT_BIT;
        mp_clamp(r);
#endif
    }

    return err;
}

/* Perform the modular exponentiation for Diffie-Hellman.
 *
 * base  Base. MP integer.
 * exp   Exponent. MP integer.
 * mod   Modulus. MP integer.
 * res   Result. MP integer.
 * returns 0 on success, MP_READ_E if there are too many bytes in an array
 * and MEMORY_E if memory allocation fails.
 */
int sp_ModExp_2048(const mp_int* base, const mp_int* exp, const mp_int* mod,
    mp_int* res)
{
#ifdef WOLFSSL_SP_SMALL
    int err = MP_OKAY;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[34 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int expBits = mp_count_bits(exp);

    if (mp_count_bits(base) > 2048) {
        err = MP_READ_E;
    }
    else if (expBits > 2048) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 2048) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 34 * 4, NULL,
            DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 34 * 2;
        m = e + 34;
        r = b;

        sp_2048_from_mp(b, 34, base);
        sp_2048_from_mp(e, 34, exp);
        sp_2048_from_mp(m, 34, mod);

        err = sp_2048_mod_exp_34(r, b, e, mp_count_bits(exp), m, 0);
    }

    if (err == MP_OKAY) {
        err = sp_2048_to_mp(r, res);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 34U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }
    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[34 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;
    int expBits = mp_count_bits(exp);

    if (mp_count_bits(base) > 2048) {
        err = MP_READ_E;
    }
    else if (expBits > 2048) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 2048) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 34 * 4, NULL, DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 34 * 2;
        m = e + 34;
        r = b;

        sp_2048_from_mp(b, 34, base);
        sp_2048_from_mp(e, 34, exp);
        sp_2048_from_mp(m, 34, mod);

        err = sp_2048_mod_exp_34(r, b, e, expBits, m, 0);
    }

    if (err == MP_OKAY) {
        err = sp_2048_to_mp(r, res);
    }


#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 34U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }

    return err;
#endif
}

#ifdef WOLFSSL_HAVE_SP_DH

#ifdef HAVE_FFDHE_2048
SP_NOINLINE static void sp_2048_lshift_34(sp_digit* r, const sp_digit* a,
        byte n)
{
    int i;

    r[34] = a[33] >> (61 - n);
    for (i=33; i>0; i--) {
        r[i] = ((a[i] << n) | (a[i-1] >> (61 - n))) & 0x1fffffffffffffffL;
    }
    r[0] = (a[0] << n) & 0x1fffffffffffffffL;
}

/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
 *
 * r     A single precision number that is the result of the operation.
 * e     A single precision number that is the exponent.
 * bits  The number of bits in the exponent.
 * m     A single precision number that is the modulus.
 * returns  0 on success.
 * returns  MEMORY_E on dynamic memory allocation failure.
 * returns  MP_VAL when base is even.
 */
static int sp_2048_mod_exp_2_34(sp_digit* r, const sp_digit* e, int bits, const sp_digit* m)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[103];
#endif
    sp_digit* norm = NULL;
    sp_digit* tmp = NULL;
    sp_digit mp = 1;
    sp_digit n;
    sp_digit o;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 103, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        tmp  = td + 68;
        XMEMSET(td, 0, sizeof(sp_digit) * 103);

        sp_2048_mont_setup(m, &mp);
        sp_2048_mont_norm_34(norm, m);

        bits = ((bits + 4) / 5) * 5;
        i = ((bits + 60) / 61) - 1;
        c = bits % 61;
        if (c == 0) {
            c = 61;
        }
        if (i < 34) {
            n = e[i--] << (64 - c);
        }
        else {
            n = 0;
            i--;
        }
        if (c < 5) {
            n |= e[i--] << (3 - c);
            c += 61;
        }
        y = (int)((n >> 59) & 0x1f);
        n <<= 5;
        c -= 5;
        sp_2048_lshift_34(r, norm, (byte)y);
        while ((i >= 0) || (c >= 5)) {
            if (c >= 5) {
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c -= 5;
            }
            else if (c == 0) {
                n = e[i--] << 3;
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c = 56;
            }
            else {
                y = (byte)((n >> 59) & 0x1f);
                n = e[i--] << 3;
                c = 5 - c;
                y |= (byte)((n >> (64 - c)) & ((1 << c) - 1));
                n <<= c;
                c = 61 - c;
            }

            sp_2048_mont_sqr_34(r, r, m, mp);
            sp_2048_mont_sqr_34(r, r, m, mp);
            sp_2048_mont_sqr_34(r, r, m, mp);
            sp_2048_mont_sqr_34(r, r, m, mp);
            sp_2048_mont_sqr_34(r, r, m, mp);

            sp_2048_lshift_34(r, r, (byte)y);
            sp_2048_mul_d_34(tmp, norm, (r[34] << 26) + (r[33] >> 35));
            r[34] = 0;
            r[33] &= 0x7ffffffffL;
            (void)sp_2048_add_34(r, r, tmp);
            sp_2048_norm_34(r);
            o = sp_2048_cmp_34(r, m);
            sp_2048_cond_sub_34(r, r, m, ~(o >> 63));
        }

        sp_2048_mont_reduce_34(r, m, mp);
        n = sp_2048_cmp_34(r, m);
        sp_2048_cond_sub_34(r, r, m, ~(n >> 63));
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
}

#endif /* HAVE_FFDHE_2048 */

/* Perform the modular exponentiation for Diffie-Hellman.
 *
 * base     Base.
 * exp      Array of bytes that is the exponent.
 * expLen   Length of data, in bytes, in exponent.
 * mod      Modulus.
 * out      Buffer to hold big-endian bytes of exponentiation result.
 *          Must be at least 256 bytes long.
 * outLen   Length, in bytes, of exponentiation result.
 * returns 0 on success, MP_READ_E if there are too many bytes in an array
 * and MEMORY_E if memory allocation fails.
 */
int sp_DhExp_2048(const mp_int* base, const byte* exp, word32 expLen,
    const mp_int* mod, byte* out, word32* outLen)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[34 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    word32 i;
    int err = MP_OKAY;

    if (mp_count_bits(base) > 2048) {
        err = MP_READ_E;
    }
    else if (expLen > 256U) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 2048) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 34 * 4, NULL,
            DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 34 * 2;
        m = e + 34;
        r = b;

        sp_2048_from_mp(b, 34, base);
        sp_2048_from_bin(e, 34, exp, expLen);
        sp_2048_from_mp(m, 34, mod);

    #ifdef HAVE_FFDHE_2048
        if (base->used == 1 && base->dp[0] == 2U &&
                (m[33] >> 3) == 0xffffffffL) {
            err = sp_2048_mod_exp_2_34(r, e, expLen * 8U, m);
        }
        else {
    #endif
            err = sp_2048_mod_exp_34(r, b, e, expLen * 8U, m, 0);
    #ifdef HAVE_FFDHE_2048
        }
    #endif
    }

    if (err == MP_OKAY) {
        sp_2048_to_bin_34(r, out);
        *outLen = 256;
        for (i=0; i<256U && out[i] == 0U; i++) {
            /* Search for first non-zero. */
        }
        *outLen -= i;
        XMEMMOVE(out, out + i, *outLen);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 34U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }

    return err;
}
#endif /* WOLFSSL_HAVE_SP_DH */

/* Perform the modular exponentiation for Diffie-Hellman.
 *
 * base  Base. MP integer.
 * exp   Exponent. MP integer.
 * mod   Modulus. MP integer.
 * res   Result. MP integer.
 * returns 0 on success, MP_READ_E if there are too many bytes in an array
 * and MEMORY_E if memory allocation fails.
 */
int sp_ModExp_1024(const mp_int* base, const mp_int* exp, const mp_int* mod,
    mp_int* res)
{
#ifdef WOLFSSL_SP_SMALL
    int err = MP_OKAY;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[17 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int expBits = mp_count_bits(exp);

    if (mp_count_bits(base) > 1024) {
        err = MP_READ_E;
    }
    else if (expBits > 1024) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 1024) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 17 * 4, NULL,
            DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 17 * 2;
        m = e + 17;
        r = b;

        sp_2048_from_mp(b, 17, base);
        sp_2048_from_mp(e, 17, exp);
        sp_2048_from_mp(m, 17, mod);

        err = sp_2048_mod_exp_17(r, b, e, mp_count_bits(exp), m, 0);
    }

    if (err == MP_OKAY) {
        XMEMSET(r + 17, 0, sizeof(*r) * 17U);
        err = sp_2048_to_mp(r, res);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 34U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }
    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[17 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;
    int expBits = mp_count_bits(exp);

    if (mp_count_bits(base) > 1024) {
        err = MP_READ_E;
    }
    else if (expBits > 1024) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 1024) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 17 * 4, NULL, DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 17 * 2;
        m = e + 17;
        r = b;

        sp_2048_from_mp(b, 17, base);
        sp_2048_from_mp(e, 17, exp);
        sp_2048_from_mp(m, 17, mod);

        err = sp_2048_mod_exp_17(r, b, e, expBits, m, 0);
    }

    if (err == MP_OKAY) {
        XMEMSET(r + 17, 0, sizeof(*r) * 17U);
        err = sp_2048_to_mp(r, res);
    }


#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 34U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }

    return err;
#endif
}

#endif /* WOLFSSL_HAVE_SP_DH | (WOLFSSL_HAVE_SP_RSA & !WOLFSSL_RSA_PUBLIC_ONLY) */

#else
/* Read big endian unsigned byte array into r.
 *
 * r  A single precision integer.
 * size  Maximum number of bytes to convert
 * a  Byte array.
 * n  Number of bytes in array to read.
 */
static void sp_2048_from_bin(sp_digit* r, int size, const byte* a, int n)
{
    int i;
    int j = 0;
    word32 s = 0;

    r[0] = 0;
    for (i = n-1; i >= 0; i--) {
        r[j] |= (((sp_digit)a[i]) << s);
        if (s >= 49U) {
            r[j] &= 0x1ffffffffffffffL;
            s = 57U - s;
            if (j + 1 >= size) {
                break;
            }
            r[++j] = (sp_digit)a[i] >> s;
            s = 8U - s;
        }
        else {
            s += 8U;
        }
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
}

/* Convert an mp_int to an array of sp_digit.
 *
 * r  A single precision integer.
 * size  Maximum number of bytes to convert
 * a  A multi-precision integer.
 */
static void sp_2048_from_mp(sp_digit* r, int size, const mp_int* a)
{
#if DIGIT_BIT == 57
    int i;
    sp_digit j = (sp_digit)0 - (sp_digit)a->used;
    int o = 0;

    for (i = 0; i < size; i++) {
        sp_digit mask = (sp_digit)0 - (j >> 56);
        r[i] = a->dp[o] & mask;
        j++;
        o += (int)(j >> 56);
    }
#elif DIGIT_BIT > 57
    unsigned int i;
    int j = 0;
    word32 s = 0;

    r[0] = 0;
    for (i = 0; i < (unsigned int)a->used && j < size; i++) {
        r[j] |= ((sp_digit)a->dp[i] << s);
        r[j] &= 0x1ffffffffffffffL;
        s = 57U - s;
        if (j + 1 >= size) {
            break;
        }
        /* lint allow cast of mismatch word32 and mp_digit */
        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
        while ((s + 57U) <= (word32)DIGIT_BIT) {
            s += 57U;
            r[j] &= 0x1ffffffffffffffL;
            if (j + 1 >= size) {
                break;
            }
            if (s < (word32)DIGIT_BIT) {
                /* lint allow cast of mismatch word32 and mp_digit */
                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
            }
            else {
                r[++j] = (sp_digit)0;
            }
        }
        s = (word32)DIGIT_BIT - s;
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
#else
    unsigned int i;
    int j = 0;
    int s = 0;

    r[0] = 0;
    for (i = 0; i < (unsigned int)a->used && j < size; i++) {
        r[j] |= ((sp_digit)a->dp[i]) << s;
        if (s + DIGIT_BIT >= 57) {
            r[j] &= 0x1ffffffffffffffL;
            if (j + 1 >= size) {
                break;
            }
            s = 57 - s;
            if (s == DIGIT_BIT) {
                r[++j] = 0;
                s = 0;
            }
            else {
                r[++j] = a->dp[i] >> s;
                s = DIGIT_BIT - s;
            }
        }
        else {
            s += DIGIT_BIT;
        }
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
#endif
}

/* Write r as big endian to byte array.
 * Fixed length number of bytes written: 256
 *
 * r  A single precision integer.
 * a  Byte array.
 */
static void sp_2048_to_bin_36(sp_digit* r, byte* a)
{
    int i;
    int j;
    int s = 0;
    int b;

    for (i=0; i<35; i++) {
        r[i+1] += r[i] >> 57;
        r[i] &= 0x1ffffffffffffffL;
    }
    j = 2055 / 8 - 1;
    a[j] = 0;
    for (i=0; i<36 && j>=0; i++) {
        b = 0;
        /* lint allow cast of mismatch sp_digit and int */
        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
        b += 8 - s;
        if (j < 0) {
            break;
        }
        while (b < 57) {
            a[j--] = (byte)(r[i] >> b);
            b += 8;
            if (j < 0) {
                break;
            }
        }
        s = 8 - (b - 57);
        if (j >= 0) {
            a[j] = 0;
        }
        if (s != 0) {
            j++;
        }
    }
}

#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(WOLFSSL_HAVE_SP_DH)
/* Normalize the values in each word to 57 bits.
 *
 * a  Array of sp_digit to normalize.
 */
static void sp_2048_norm_18(sp_digit* a)
{
    int i;
    for (i = 0; i < 16; i += 8) {
        a[i+1] += a[i+0] >> 57; a[i+0] &= 0x1ffffffffffffffL;
        a[i+2] += a[i+1] >> 57; a[i+1] &= 0x1ffffffffffffffL;
        a[i+3] += a[i+2] >> 57; a[i+2] &= 0x1ffffffffffffffL;
        a[i+4] += a[i+3] >> 57; a[i+3] &= 0x1ffffffffffffffL;
        a[i+5] += a[i+4] >> 57; a[i+4] &= 0x1ffffffffffffffL;
        a[i+6] += a[i+5] >> 57; a[i+5] &= 0x1ffffffffffffffL;
        a[i+7] += a[i+6] >> 57; a[i+6] &= 0x1ffffffffffffffL;
        a[i+8] += a[i+7] >> 57; a[i+7] &= 0x1ffffffffffffffL;
    }
    a[17] += a[16] >> 57; a[16] &= 0x1ffffffffffffffL;
}

#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
/* Normalize the values in each word to 57 bits.
 *
 * a  Array of sp_digit to normalize.
 */
static void sp_2048_norm_36(sp_digit* a)
{
    int i;
    for (i = 0; i < 32; i += 8) {
        a[i+1] += a[i+0] >> 57; a[i+0] &= 0x1ffffffffffffffL;
        a[i+2] += a[i+1] >> 57; a[i+1] &= 0x1ffffffffffffffL;
        a[i+3] += a[i+2] >> 57; a[i+2] &= 0x1ffffffffffffffL;
        a[i+4] += a[i+3] >> 57; a[i+3] &= 0x1ffffffffffffffL;
        a[i+5] += a[i+4] >> 57; a[i+4] &= 0x1ffffffffffffffL;
        a[i+6] += a[i+5] >> 57; a[i+5] &= 0x1ffffffffffffffL;
        a[i+7] += a[i+6] >> 57; a[i+6] &= 0x1ffffffffffffffL;
        a[i+8] += a[i+7] >> 57; a[i+7] &= 0x1ffffffffffffffL;
    }
    a[33] += a[32] >> 57; a[32] &= 0x1ffffffffffffffL;
    a[34] += a[33] >> 57; a[33] &= 0x1ffffffffffffffL;
    a[35] += a[34] >> 57; a[34] &= 0x1ffffffffffffffL;
}

#ifndef WOLFSSL_SP_SMALL
/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_2048_mul_9(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    sp_uint128 t0;
    sp_uint128 t1;
    sp_digit t[9];

    t0 = ((sp_uint128)a[ 0]) * b[ 0];
    t1 = ((sp_uint128)a[ 0]) * b[ 1]
       + ((sp_uint128)a[ 1]) * b[ 0];
    t[ 0] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_uint128)a[ 0]) * b[ 2]
       + ((sp_uint128)a[ 1]) * b[ 1]
       + ((sp_uint128)a[ 2]) * b[ 0];
    t[ 1] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = ((sp_uint128)a[ 0]) * b[ 3]
       + ((sp_uint128)a[ 1]) * b[ 2]
       + ((sp_uint128)a[ 2]) * b[ 1]
       + ((sp_uint128)a[ 3]) * b[ 0];
    t[ 2] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_uint128)a[ 0]) * b[ 4]
       + ((sp_uint128)a[ 1]) * b[ 3]
       + ((sp_uint128)a[ 2]) * b[ 2]
       + ((sp_uint128)a[ 3]) * b[ 1]
       + ((sp_uint128)a[ 4]) * b[ 0];
    t[ 3] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = ((sp_uint128)a[ 0]) * b[ 5]
       + ((sp_uint128)a[ 1]) * b[ 4]
       + ((sp_uint128)a[ 2]) * b[ 3]
       + ((sp_uint128)a[ 3]) * b[ 2]
       + ((sp_uint128)a[ 4]) * b[ 1]
       + ((sp_uint128)a[ 5]) * b[ 0];
    t[ 4] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_uint128)a[ 0]) * b[ 6]
       + ((sp_uint128)a[ 1]) * b[ 5]
       + ((sp_uint128)a[ 2]) * b[ 4]
       + ((sp_uint128)a[ 3]) * b[ 3]
       + ((sp_uint128)a[ 4]) * b[ 2]
       + ((sp_uint128)a[ 5]) * b[ 1]
       + ((sp_uint128)a[ 6]) * b[ 0];
    t[ 5] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = ((sp_uint128)a[ 0]) * b[ 7]
       + ((sp_uint128)a[ 1]) * b[ 6]
       + ((sp_uint128)a[ 2]) * b[ 5]
       + ((sp_uint128)a[ 3]) * b[ 4]
       + ((sp_uint128)a[ 4]) * b[ 3]
       + ((sp_uint128)a[ 5]) * b[ 2]
       + ((sp_uint128)a[ 6]) * b[ 1]
       + ((sp_uint128)a[ 7]) * b[ 0];
    t[ 6] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_uint128)a[ 0]) * b[ 8]
       + ((sp_uint128)a[ 1]) * b[ 7]
       + ((sp_uint128)a[ 2]) * b[ 6]
       + ((sp_uint128)a[ 3]) * b[ 5]
       + ((sp_uint128)a[ 4]) * b[ 4]
       + ((sp_uint128)a[ 5]) * b[ 3]
       + ((sp_uint128)a[ 6]) * b[ 2]
       + ((sp_uint128)a[ 7]) * b[ 1]
       + ((sp_uint128)a[ 8]) * b[ 0];
    t[ 7] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = ((sp_uint128)a[ 1]) * b[ 8]
       + ((sp_uint128)a[ 2]) * b[ 7]
       + ((sp_uint128)a[ 3]) * b[ 6]
       + ((sp_uint128)a[ 4]) * b[ 5]
       + ((sp_uint128)a[ 5]) * b[ 4]
       + ((sp_uint128)a[ 6]) * b[ 3]
       + ((sp_uint128)a[ 7]) * b[ 2]
       + ((sp_uint128)a[ 8]) * b[ 1];
    t[ 8] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_uint128)a[ 2]) * b[ 8]
       + ((sp_uint128)a[ 3]) * b[ 7]
       + ((sp_uint128)a[ 4]) * b[ 6]
       + ((sp_uint128)a[ 5]) * b[ 5]
       + ((sp_uint128)a[ 6]) * b[ 4]
       + ((sp_uint128)a[ 7]) * b[ 3]
       + ((sp_uint128)a[ 8]) * b[ 2];
    r[ 9] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = ((sp_uint128)a[ 3]) * b[ 8]
       + ((sp_uint128)a[ 4]) * b[ 7]
       + ((sp_uint128)a[ 5]) * b[ 6]
       + ((sp_uint128)a[ 6]) * b[ 5]
       + ((sp_uint128)a[ 7]) * b[ 4]
       + ((sp_uint128)a[ 8]) * b[ 3];
    r[10] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_uint128)a[ 4]) * b[ 8]
       + ((sp_uint128)a[ 5]) * b[ 7]
       + ((sp_uint128)a[ 6]) * b[ 6]
       + ((sp_uint128)a[ 7]) * b[ 5]
       + ((sp_uint128)a[ 8]) * b[ 4];
    r[11] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = ((sp_uint128)a[ 5]) * b[ 8]
       + ((sp_uint128)a[ 6]) * b[ 7]
       + ((sp_uint128)a[ 7]) * b[ 6]
       + ((sp_uint128)a[ 8]) * b[ 5];
    r[12] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_uint128)a[ 6]) * b[ 8]
       + ((sp_uint128)a[ 7]) * b[ 7]
       + ((sp_uint128)a[ 8]) * b[ 6];
    r[13] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = ((sp_uint128)a[ 7]) * b[ 8]
       + ((sp_uint128)a[ 8]) * b[ 7];
    r[14] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_uint128)a[ 8]) * b[ 8];
    r[15] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    r[16] = t0 & 0x1ffffffffffffffL;
    r[17] = (sp_digit)(t0 >> 57);
    XMEMCPY(r, t, sizeof(t));
}

/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_2048_add_9(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    r[ 0] = a[ 0] + b[ 0];
    r[ 1] = a[ 1] + b[ 1];
    r[ 2] = a[ 2] + b[ 2];
    r[ 3] = a[ 3] + b[ 3];
    r[ 4] = a[ 4] + b[ 4];
    r[ 5] = a[ 5] + b[ 5];
    r[ 6] = a[ 6] + b[ 6];
    r[ 7] = a[ 7] + b[ 7];
    r[ 8] = a[ 8] + b[ 8];

    return 0;
}

/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_2048_add_18(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 16; i += 8) {
        r[i + 0] = a[i + 0] + b[i + 0];
        r[i + 1] = a[i + 1] + b[i + 1];
        r[i + 2] = a[i + 2] + b[i + 2];
        r[i + 3] = a[i + 3] + b[i + 3];
        r[i + 4] = a[i + 4] + b[i + 4];
        r[i + 5] = a[i + 5] + b[i + 5];
        r[i + 6] = a[i + 6] + b[i + 6];
        r[i + 7] = a[i + 7] + b[i + 7];
    }
    r[16] = a[16] + b[16];
    r[17] = a[17] + b[17];

    return 0;
}

/* Sub b from a into r. (r = a - b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_2048_sub_18(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 16; i += 8) {
        r[i + 0] = a[i + 0] - b[i + 0];
        r[i + 1] = a[i + 1] - b[i + 1];
        r[i + 2] = a[i + 2] - b[i + 2];
        r[i + 3] = a[i + 3] - b[i + 3];
        r[i + 4] = a[i + 4] - b[i + 4];
        r[i + 5] = a[i + 5] - b[i + 5];
        r[i + 6] = a[i + 6] - b[i + 6];
        r[i + 7] = a[i + 7] - b[i + 7];
    }
    r[16] = a[16] - b[16];
    r[17] = a[17] - b[17];

    return 0;
}

/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_2048_mul_18(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    sp_digit* z0 = r;
    sp_digit z1[18];
    sp_digit* a1 = z1;
    sp_digit b1[9];
    sp_digit* z2 = r + 18;
    (void)sp_2048_add_9(a1, a, &a[9]);
    (void)sp_2048_add_9(b1, b, &b[9]);
    sp_2048_mul_9(z2, &a[9], &b[9]);
    sp_2048_mul_9(z0, a, b);
    sp_2048_mul_9(z1, a1, b1);
    (void)sp_2048_sub_18(z1, z1, z2);
    (void)sp_2048_sub_18(z1, z1, z0);
    (void)sp_2048_add_18(r + 9, r + 9, z1);
}

/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_2048_add_36(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 32; i += 8) {
        r[i + 0] = a[i + 0] + b[i + 0];
        r[i + 1] = a[i + 1] + b[i + 1];
        r[i + 2] = a[i + 2] + b[i + 2];
        r[i + 3] = a[i + 3] + b[i + 3];
        r[i + 4] = a[i + 4] + b[i + 4];
        r[i + 5] = a[i + 5] + b[i + 5];
        r[i + 6] = a[i + 6] + b[i + 6];
        r[i + 7] = a[i + 7] + b[i + 7];
    }
    r[32] = a[32] + b[32];
    r[33] = a[33] + b[33];
    r[34] = a[34] + b[34];
    r[35] = a[35] + b[35];

    return 0;
}

/* Sub b from a into r. (r = a - b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_2048_sub_36(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 32; i += 8) {
        r[i + 0] = a[i + 0] - b[i + 0];
        r[i + 1] = a[i + 1] - b[i + 1];
        r[i + 2] = a[i + 2] - b[i + 2];
        r[i + 3] = a[i + 3] - b[i + 3];
        r[i + 4] = a[i + 4] - b[i + 4];
        r[i + 5] = a[i + 5] - b[i + 5];
        r[i + 6] = a[i + 6] - b[i + 6];
        r[i + 7] = a[i + 7] - b[i + 7];
    }
    r[32] = a[32] - b[32];
    r[33] = a[33] - b[33];
    r[34] = a[34] - b[34];
    r[35] = a[35] - b[35];

    return 0;
}

/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_2048_mul_36(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    sp_digit* z0 = r;
    sp_digit z1[36];
    sp_digit* a1 = z1;
    sp_digit b1[18];
    sp_digit* z2 = r + 36;
    (void)sp_2048_add_18(a1, a, &a[18]);
    (void)sp_2048_add_18(b1, b, &b[18]);
    sp_2048_mul_18(z2, &a[18], &b[18]);
    sp_2048_mul_18(z0, a, b);
    sp_2048_mul_18(z1, a1, b1);
    (void)sp_2048_sub_36(z1, z1, z2);
    (void)sp_2048_sub_36(z1, z1, z0);
    (void)sp_2048_add_36(r + 18, r + 18, z1);
}

/* Square a and put result in r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_2048_sqr_9(sp_digit* r, const sp_digit* a)
{
    sp_uint128 t0;
    sp_uint128 t1;
    sp_digit t[9];

    t0 =  ((sp_uint128)a[ 0]) * a[ 0];
    t1 = (((sp_uint128)a[ 0]) * a[ 1]) * 2;
    t[ 0] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = (((sp_uint128)a[ 0]) * a[ 2]) * 2
       +  ((sp_uint128)a[ 1]) * a[ 1];
    t[ 1] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = (((sp_uint128)a[ 0]) * a[ 3]
       +  ((sp_uint128)a[ 1]) * a[ 2]) * 2;
    t[ 2] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = (((sp_uint128)a[ 0]) * a[ 4]
       +  ((sp_uint128)a[ 1]) * a[ 3]) * 2
       +  ((sp_uint128)a[ 2]) * a[ 2];
    t[ 3] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = (((sp_uint128)a[ 0]) * a[ 5]
       +  ((sp_uint128)a[ 1]) * a[ 4]
       +  ((sp_uint128)a[ 2]) * a[ 3]) * 2;
    t[ 4] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = (((sp_uint128)a[ 0]) * a[ 6]
       +  ((sp_uint128)a[ 1]) * a[ 5]
       +  ((sp_uint128)a[ 2]) * a[ 4]) * 2
       +  ((sp_uint128)a[ 3]) * a[ 3];
    t[ 5] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = (((sp_uint128)a[ 0]) * a[ 7]
       +  ((sp_uint128)a[ 1]) * a[ 6]
       +  ((sp_uint128)a[ 2]) * a[ 5]
       +  ((sp_uint128)a[ 3]) * a[ 4]) * 2;
    t[ 6] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = (((sp_uint128)a[ 0]) * a[ 8]
       +  ((sp_uint128)a[ 1]) * a[ 7]
       +  ((sp_uint128)a[ 2]) * a[ 6]
       +  ((sp_uint128)a[ 3]) * a[ 5]) * 2
       +  ((sp_uint128)a[ 4]) * a[ 4];
    t[ 7] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = (((sp_uint128)a[ 1]) * a[ 8]
       +  ((sp_uint128)a[ 2]) * a[ 7]
       +  ((sp_uint128)a[ 3]) * a[ 6]
       +  ((sp_uint128)a[ 4]) * a[ 5]) * 2;
    t[ 8] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = (((sp_uint128)a[ 2]) * a[ 8]
       +  ((sp_uint128)a[ 3]) * a[ 7]
       +  ((sp_uint128)a[ 4]) * a[ 6]) * 2
       +  ((sp_uint128)a[ 5]) * a[ 5];
    r[ 9] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = (((sp_uint128)a[ 3]) * a[ 8]
       +  ((sp_uint128)a[ 4]) * a[ 7]
       +  ((sp_uint128)a[ 5]) * a[ 6]) * 2;
    r[10] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = (((sp_uint128)a[ 4]) * a[ 8]
       +  ((sp_uint128)a[ 5]) * a[ 7]) * 2
       +  ((sp_uint128)a[ 6]) * a[ 6];
    r[11] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = (((sp_uint128)a[ 5]) * a[ 8]
       +  ((sp_uint128)a[ 6]) * a[ 7]) * 2;
    r[12] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = (((sp_uint128)a[ 6]) * a[ 8]) * 2
       +  ((sp_uint128)a[ 7]) * a[ 7];
    r[13] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = (((sp_uint128)a[ 7]) * a[ 8]) * 2;
    r[14] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 =  ((sp_uint128)a[ 8]) * a[ 8];
    r[15] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    r[16] = t0 & 0x1ffffffffffffffL;
    r[17] = (sp_digit)(t0 >> 57);
    XMEMCPY(r, t, sizeof(t));
}

/* Square a and put result in r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_2048_sqr_18(sp_digit* r, const sp_digit* a)
{
    sp_digit* z0 = r;
    sp_digit z1[18];
    sp_digit* a1 = z1;
    sp_digit* z2 = r + 18;
    (void)sp_2048_add_9(a1, a, &a[9]);
    sp_2048_sqr_9(z2, &a[9]);
    sp_2048_sqr_9(z0, a);
    sp_2048_sqr_9(z1, a1);
    (void)sp_2048_sub_18(z1, z1, z2);
    (void)sp_2048_sub_18(z1, z1, z0);
    (void)sp_2048_add_18(r + 9, r + 9, z1);
}

/* Square a and put result in r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_2048_sqr_36(sp_digit* r, const sp_digit* a)
{
    sp_digit* z0 = r;
    sp_digit z1[36];
    sp_digit* a1 = z1;
    sp_digit* z2 = r + 36;
    (void)sp_2048_add_18(a1, a, &a[18]);
    sp_2048_sqr_18(z2, &a[18]);
    sp_2048_sqr_18(z0, a);
    sp_2048_sqr_18(z1, a1);
    (void)sp_2048_sub_36(z1, z1, z2);
    (void)sp_2048_sub_36(z1, z1, z0);
    (void)sp_2048_add_36(r + 18, r + 18, z1);
}

#endif /* !WOLFSSL_SP_SMALL */
/* Calculate the bottom digit of -1/a mod 2^n.
 *
 * a    A single precision number.
 * rho  Bottom word of inverse.
 */
static void sp_2048_mont_setup(const sp_digit* a, sp_digit* rho)
{
    sp_digit x;
    sp_digit b;

    b = a[0];
    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**64 */
    x &= 0x1ffffffffffffffL;

    /* rho = -1/m mod b */
    *rho = ((sp_digit)1 << 57) - x;
}

/* Multiply a by scalar b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_2048_mul_d_36(sp_digit* r, const sp_digit* a,
    sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t = 0;
    sp_digit t2;
    sp_int128 p[4];
    int i;

    for (i = 0; i < 36; i += 4) {
        p[0] = tb * a[i + 0];
        p[1] = tb * a[i + 1];
        p[2] = tb * a[i + 2];
        p[3] = tb * a[i + 3];
        t += p[0];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 0] = (sp_digit)t2;
        t += p[1];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 1] = (sp_digit)t2;
        t += p[2];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 2] = (sp_digit)t2;
        t += p[3];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 3] = (sp_digit)t2;
    }
    r[36] = (sp_digit)(t & 0x1ffffffffffffffL);
}

#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(WOLFSSL_HAVE_SP_DH)
/* r = 2^n mod m where n is the number of bits to reduce by.
 * Given m must be 2048 bits, just need to subtract.
 *
 * r  A single precision number.
 * m  A single precision number.
 */
static void sp_2048_mont_norm_18(sp_digit* r, const sp_digit* m)
{
    /* Set r = 2^n - 1. */
    int i;

    for (i = 0; i < 16; i += 8) {
        r[i + 0] = 0x1ffffffffffffffL;
        r[i + 1] = 0x1ffffffffffffffL;
        r[i + 2] = 0x1ffffffffffffffL;
        r[i + 3] = 0x1ffffffffffffffL;
        r[i + 4] = 0x1ffffffffffffffL;
        r[i + 5] = 0x1ffffffffffffffL;
        r[i + 6] = 0x1ffffffffffffffL;
        r[i + 7] = 0x1ffffffffffffffL;
    }
    r[16] = 0x1ffffffffffffffL;
    r[17] = 0x7fffffffffffffL;

    /* r = (2^n - 1) mod n */
    (void)sp_2048_sub_18(r, r, m);

    /* Add one so r = 2^n mod m */
    r[0] += 1;
}

/* Compare a with b in constant time.
 *
 * a  A single precision integer.
 * b  A single precision integer.
 * return -ve, 0 or +ve if a is less than, equal to or greater than b
 * respectively.
 */
static sp_digit sp_2048_cmp_18(const sp_digit* a, const sp_digit* b)
{
    sp_digit r = 0;
    int i;

    r |= (a[17] - b[17]) & (0 - (sp_digit)1);
    r |= (a[16] - b[16]) & ~(((sp_digit)0 - r) >> 56);
    for (i = 8; i >= 0; i -= 8) {
        r |= (a[i + 7] - b[i + 7]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 6] - b[i + 6]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 5] - b[i + 5]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 4] - b[i + 4]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 3] - b[i + 3]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 2] - b[i + 2]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 1] - b[i + 1]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 0] - b[i + 0]) & ~(((sp_digit)0 - r) >> 56);
    }

    return r;
}

/* Conditionally subtract b from a using the mask m.
 * m is -1 to subtract and 0 when not.
 *
 * r  A single precision number representing condition subtract result.
 * a  A single precision number to subtract from.
 * b  A single precision number to subtract.
 * m  Mask value to apply.
 */
static void sp_2048_cond_sub_18(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 16; i += 8) {
        r[i + 0] = a[i + 0] - (b[i + 0] & m);
        r[i + 1] = a[i + 1] - (b[i + 1] & m);
        r[i + 2] = a[i + 2] - (b[i + 2] & m);
        r[i + 3] = a[i + 3] - (b[i + 3] & m);
        r[i + 4] = a[i + 4] - (b[i + 4] & m);
        r[i + 5] = a[i + 5] - (b[i + 5] & m);
        r[i + 6] = a[i + 6] - (b[i + 6] & m);
        r[i + 7] = a[i + 7] - (b[i + 7] & m);
    }
    r[16] = a[16] - (b[16] & m);
    r[17] = a[17] - (b[17] & m);
}

/* Mul a by scalar b and add into r. (r += a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_2048_mul_add_18(sp_digit* r, const sp_digit* a,
        const sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t[8];
    int i;

    t[0] = tb * a[0]; r[0] += (sp_digit)(t[0] & 0x1ffffffffffffffL);
    for (i = 0; i < 16; i += 8) {
        t[1] = tb * a[i+1];
        r[i+1] += (sp_digit)((t[0] >> 57) + (t[1] & 0x1ffffffffffffffL));
        t[2] = tb * a[i+2];
        r[i+2] += (sp_digit)((t[1] >> 57) + (t[2] & 0x1ffffffffffffffL));
        t[3] = tb * a[i+3];
        r[i+3] += (sp_digit)((t[2] >> 57) + (t[3] & 0x1ffffffffffffffL));
        t[4] = tb * a[i+4];
        r[i+4] += (sp_digit)((t[3] >> 57) + (t[4] & 0x1ffffffffffffffL));
        t[5] = tb * a[i+5];
        r[i+5] += (sp_digit)((t[4] >> 57) + (t[5] & 0x1ffffffffffffffL));
        t[6] = tb * a[i+6];
        r[i+6] += (sp_digit)((t[5] >> 57) + (t[6] & 0x1ffffffffffffffL));
        t[7] = tb * a[i+7];
        r[i+7] += (sp_digit)((t[6] >> 57) + (t[7] & 0x1ffffffffffffffL));
        t[0] = tb * a[i+8];
        r[i+8] += (sp_digit)((t[7] >> 57) + (t[0] & 0x1ffffffffffffffL));
    }
    t[1] = tb * a[17];
    r[17] += (sp_digit)((t[0] >> 57) + (t[1] & 0x1ffffffffffffffL));
    r[18] +=  (sp_digit)(t[1] >> 57);
}

/* Shift the result in the high 1024 bits down to the bottom.
 *
 * r  A single precision number.
 * a  A single precision number.
 */
static void sp_2048_mont_shift_18(sp_digit* r, const sp_digit* a)
{
    sp_uint64 n;
    int i;

    n  = (sp_uint64)a[17];
    n  = n >> 55U;
    for (i = 0; i < 16; i += 8) {
        n += (sp_uint64)a[i+18] << 2U; r[i+0] = n & 0x1ffffffffffffffUL; n >>= 57U;
        n += (sp_uint64)a[i+19] << 2U; r[i+1] = n & 0x1ffffffffffffffUL; n >>= 57U;
        n += (sp_uint64)a[i+20] << 2U; r[i+2] = n & 0x1ffffffffffffffUL; n >>= 57U;
        n += (sp_uint64)a[i+21] << 2U; r[i+3] = n & 0x1ffffffffffffffUL; n >>= 57U;
        n += (sp_uint64)a[i+22] << 2U; r[i+4] = n & 0x1ffffffffffffffUL; n >>= 57U;
        n += (sp_uint64)a[i+23] << 2U; r[i+5] = n & 0x1ffffffffffffffUL; n >>= 57U;
        n += (sp_uint64)a[i+24] << 2U; r[i+6] = n & 0x1ffffffffffffffUL; n >>= 57U;
        n += (sp_uint64)a[i+25] << 2U; r[i+7] = n & 0x1ffffffffffffffUL; n >>= 57U;
    }
    n += (sp_uint64)a[34] << 2U; r[16] = n & 0x1ffffffffffffffUL; n >>= 57U;
    n += (sp_uint64)a[35] << 2U; r[17] = n;
    XMEMSET(&r[18], 0, sizeof(*r) * 18U);
}

/* Reduce the number back to 2048 bits using Montgomery reduction.
 *
 * a   A single precision number to reduce in place.
 * m   The single precision number representing the modulus.
 * mp  The digit representing the negative inverse of m mod 2^n.
 */
static void sp_2048_mont_reduce_18(sp_digit* a, const sp_digit* m, sp_digit mp)
{
    int i;
    sp_digit mu;
    sp_digit over;

    sp_2048_norm_18(a + 18);

    for (i=0; i<17; i++) {
        mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x1ffffffffffffffL;
        sp_2048_mul_add_18(a+i, m, mu);
        a[i+1] += a[i] >> 57;
    }
    mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x7fffffffffffffL;
    sp_2048_mul_add_18(a+i, m, mu);
    a[i+1] += a[i] >> 57;
    a[i] &= 0x1ffffffffffffffL;
    sp_2048_mont_shift_18(a, a);
    over = a[17] - m[17];
    sp_2048_cond_sub_18(a, a, m, ~((over - 1) >> 63));
    sp_2048_norm_18(a);
}

/* Multiply two Montgomery form numbers mod the modulus (prime).
 * (r = a * b mod m)
 *
 * r   Result of multiplication.
 * a   First number to multiply in Montgomery form.
 * b   Second number to multiply in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_2048_mont_mul_18(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit* m, sp_digit mp)
{
    sp_2048_mul_18(r, a, b);
    sp_2048_mont_reduce_18(r, m, mp);
}

/* Square the Montgomery form number. (r = a * a mod m)
 *
 * r   Result of squaring.
 * a   Number to square in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_2048_mont_sqr_18(sp_digit* r, const sp_digit* a,
        const sp_digit* m, sp_digit mp)
{
    sp_2048_sqr_18(r, a);
    sp_2048_mont_reduce_18(r, m, mp);
}

/* Multiply a by scalar b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_2048_mul_d_18(sp_digit* r, const sp_digit* a,
    sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t = 0;
    sp_digit t2;
    sp_int128 p[4];
    int i;

    for (i = 0; i < 16; i += 4) {
        p[0] = tb * a[i + 0];
        p[1] = tb * a[i + 1];
        p[2] = tb * a[i + 2];
        p[3] = tb * a[i + 3];
        t += p[0];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 0] = (sp_digit)t2;
        t += p[1];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 1] = (sp_digit)t2;
        t += p[2];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 2] = (sp_digit)t2;
        t += p[3];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 3] = (sp_digit)t2;
    }
    t += tb * a[16];
    r[16] = (sp_digit)(t & 0x1ffffffffffffffL);
    t >>= 57;
    t += tb * a[17];
    r[17] = (sp_digit)(t & 0x1ffffffffffffffL);
    t >>= 57;
    r[18] = (sp_digit)(t & 0x1ffffffffffffffL);
}

#ifndef WOLFSSL_SP_SMALL
/* Conditionally add a and b using the mask m.
 * m is -1 to add and 0 when not.
 *
 * r  A single precision number representing conditional add result.
 * a  A single precision number to add with.
 * b  A single precision number to add.
 * m  Mask value to apply.
 */
static void sp_2048_cond_add_18(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 16; i += 8) {
        r[i + 0] = a[i + 0] + (b[i + 0] & m);
        r[i + 1] = a[i + 1] + (b[i + 1] & m);
        r[i + 2] = a[i + 2] + (b[i + 2] & m);
        r[i + 3] = a[i + 3] + (b[i + 3] & m);
        r[i + 4] = a[i + 4] + (b[i + 4] & m);
        r[i + 5] = a[i + 5] + (b[i + 5] & m);
        r[i + 6] = a[i + 6] + (b[i + 6] & m);
        r[i + 7] = a[i + 7] + (b[i + 7] & m);
    }
    r[16] = a[16] + (b[16] & m);
    r[17] = a[17] + (b[17] & m);
}
#endif /* !WOLFSSL_SP_SMALL */

SP_NOINLINE static void sp_2048_rshift_18(sp_digit* r, const sp_digit* a,
        byte n)
{
    int i;

    for (i=0; i<16; i += 8) {
        r[i+0] = (a[i+0] >> n) | ((a[i+1] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+1] = (a[i+1] >> n) | ((a[i+2] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+2] = (a[i+2] >> n) | ((a[i+3] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+3] = (a[i+3] >> n) | ((a[i+4] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+4] = (a[i+4] >> n) | ((a[i+5] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+5] = (a[i+5] >> n) | ((a[i+6] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+6] = (a[i+6] >> n) | ((a[i+7] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+7] = (a[i+7] >> n) | ((a[i+8] << (57 - n)) & 0x1ffffffffffffffL);
    }
    r[16] = (a[16] >> n) | ((a[17] << (57 - n)) & 0x1ffffffffffffffL);
    r[17] = a[17] >> n;
}

static WC_INLINE sp_digit sp_2048_div_word_18(sp_digit d1, sp_digit d0,
    sp_digit div)
{
#ifdef SP_USE_DIVTI3
    sp_int128 d = ((sp_int128)d1 << 57) + d0;

    return d / div;
#elif defined(__x86_64__) || defined(__i386__)
    sp_int128 d = ((sp_int128)d1 << 57) + d0;
    sp_uint64 lo = (sp_uint64)d;
    sp_digit hi = (sp_digit)(d >> 64);

    __asm__ __volatile__ (
        "idiv %2"
        : "+a" (lo)
        : "d" (hi), "r" (div)
        : "cc"
    );

    return (sp_digit)lo;
#elif !defined(__aarch64__) &&  !defined(SP_DIV_WORD_USE_DIV)
    sp_int128 d = ((sp_int128)d1 << 57) + d0;
    sp_digit dv = (div >> 1) + 1;
    sp_digit t1 = (sp_digit)(d >> 57);
    sp_digit t0 = (sp_digit)(d & 0x1ffffffffffffffL);
    sp_digit t2;
    sp_digit sign;
    sp_digit r;
    int i;
    sp_int128 m;

    r = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
    t1 -= dv & (0 - r);
    for (i = 55; i >= 1; i--) {
        t1 += t1 + (((sp_uint64)t0 >> 56) & 1);
        t0 <<= 1;
        t2 = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
        r += r + t2;
        t1 -= dv & (0 - t2);
        t1 += t2;
    }
    r += r + 1;

    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 57);
    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 114) - (sp_digit)(d >> 114);

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;
   return r;
#else
    sp_int128 d = ((sp_int128)d1 << 57) + d0;
    sp_digit r = 0;
    sp_digit t;
    sp_digit dv = (div >> 26) + 1;

    t = (sp_digit)(d >> 52);
    t = (t / dv) << 26;
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)(d >> 21);
    t = t / (dv << 5);
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)d;
    t = t / div;
    r += t;
    d -= (sp_int128)t * div;
    return r;
#endif
}
static WC_INLINE sp_digit sp_2048_word_div_word_18(sp_digit d, sp_digit div)
{
#if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__) || \
    defined(SP_DIV_WORD_USE_DIV)
    return d / div;
#else
    return (sp_digit)((sp_uint64)(div - d) >> 63);
#endif
}
/* Divide d in a and put remainder into r (m*d + r = a)
 * m is not calculated as it is not needed at this time.
 *
 * Full implementation.
 *
 * a  Number to be divided.
 * d  Number to divide with.
 * m  Multiplier result.
 * r  Remainder from the division.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_2048_div_18(const sp_digit* a, const sp_digit* d,
        const sp_digit* m, sp_digit* r)
{
    int i;
#ifndef WOLFSSL_SP_DIV_64
#endif
    sp_digit dv;
    sp_digit r1;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* t1 = NULL;
#else
    sp_digit t1[4 * 18 + 3];
#endif
    sp_digit* t2 = NULL;
    sp_digit* sd = NULL;
    int err = MP_OKAY;

    (void)m;

#ifdef WOLFSSL_SP_SMALL_STACK
    t1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * (4 * 18 + 3), NULL,
                                                       DYNAMIC_TYPE_TMP_BUFFER);
    if (t1 == NULL)
        err = MEMORY_E;
#endif

    (void)m;

    if (err == MP_OKAY) {
        t2 = t1 + 36 + 1;
        sd = t2 + 18 + 1;

        sp_2048_mul_d_18(sd, d, (sp_digit)1 << 2);
        sp_2048_mul_d_36(t1, a, (sp_digit)1 << 2);
        dv = sd[17];
        t1[18 + 18] += t1[18 + 18 - 1] >> 57;
        t1[18 + 18 - 1] &= 0x1ffffffffffffffL;
        for (i=18; i>=0; i--) {
            r1 = sp_2048_div_word_18(t1[18 + i], t1[18 + i - 1], dv);

            sp_2048_mul_d_18(t2, sd, r1);
            (void)sp_2048_sub_18(&t1[i], &t1[i], t2);
            sp_2048_norm_18(&t1[i]);
            t1[18 + i] -= t2[18];
            t1[18 + i] += t1[18 + i - 1] >> 57;
            t1[18 + i - 1] &= 0x1ffffffffffffffL;
            r1 = sp_2048_div_word_18(-t1[18 + i], -t1[18 + i - 1], dv);
            r1 -= t1[18 + i];
            sp_2048_mul_d_18(t2, sd, r1);
            (void)sp_2048_add_18(&t1[i], &t1[i], t2);
            t1[18 + i] += t1[18 + i - 1] >> 57;
            t1[18 + i - 1] &= 0x1ffffffffffffffL;
        }
        t1[18 - 1] += t1[18 - 2] >> 57;
        t1[18 - 2] &= 0x1ffffffffffffffL;
        r1 = sp_2048_word_div_word_18(t1[18 - 1], dv);

        sp_2048_mul_d_18(t2, sd, r1);
        sp_2048_sub_18(t1, t1, t2);
        XMEMCPY(r, t1, sizeof(*r) * 36U);
        for (i=0; i<17; i++) {
            r[i+1] += r[i] >> 57;
            r[i] &= 0x1ffffffffffffffL;
        }
        sp_2048_cond_add_18(r, r, sd, r[17] >> 63);

        sp_2048_norm_18(r);
        sp_2048_rshift_18(r, r, 2);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t1 != NULL)
        XFREE(t1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
}

/* Reduce a modulo m into r. (r = a mod m)
 *
 * r  A single precision number that is the reduced result.
 * a  A single precision number that is to be reduced.
 * m  A single precision number that is the modulus to reduce with.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_2048_mod_18(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    return sp_2048_div_18(a, m, NULL, r);
}

/* Modular exponentiate a to the e mod m. (r = a^e mod m)
 *
 * r     A single precision number that is the result of the operation.
 * a     A single precision number being exponentiated.
 * e     A single precision number that is the exponent.
 * bits  The number of bits in the exponent.
 * m     A single precision number that is the modulus.
 * returns  0 on success.
 * returns  MEMORY_E on dynamic memory allocation failure.
 * returns  MP_VAL when base is even or exponent is 0.
 */
static int sp_2048_mod_exp_18(sp_digit* r, const sp_digit* a, const sp_digit* e,
    int bits, const sp_digit* m, int reduceA)
{
#if defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_FAST_MODEXP)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 36];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 18 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 18 * 2);
            XMEMSET(t[i], 0, sizeof(sp_digit) * 18U * 2U);
        }

        sp_2048_mont_setup(m, &mp);
        sp_2048_mont_norm_18(norm, m);

        if (reduceA != 0) {
            err = sp_2048_mod_18(t[1], a, m);
        }
        else {
            XMEMCPY(t[1], a, sizeof(sp_digit) * 18U);
        }
    }
    if (err == MP_OKAY) {
        sp_2048_mul_18(t[1], t[1], norm);
        err = sp_2048_mod_18(t[1], t[1], m);
    }

    if (err == MP_OKAY) {
        i = bits / 57;
        c = bits % 57;
        n = e[i--] << (57 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 57;
            }

            y = (int)((n >> 56) & 1);
            n <<= 1;

            sp_2048_mont_mul_18(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 18 * 2);
            sp_2048_mont_sqr_18(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 18 * 2);
        }

        sp_2048_mont_reduce_18(t[0], m, mp);
        n = sp_2048_cmp_18(t[0], m);
        sp_2048_cond_sub_18(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 18 * 2);

    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#elif !defined(WC_NO_CACHE_RESISTANT)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 36];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 18 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 18 * 2);
        }

        sp_2048_mont_setup(m, &mp);
        sp_2048_mont_norm_18(norm, m);

        if (reduceA != 0) {
            err = sp_2048_mod_18(t[1], a, m);
            if (err == MP_OKAY) {
                sp_2048_mul_18(t[1], t[1], norm);
                err = sp_2048_mod_18(t[1], t[1], m);
            }
        }
        else {
            sp_2048_mul_18(t[1], a, norm);
            err = sp_2048_mod_18(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        i = bits / 57;
        c = bits % 57;
        n = e[i--] << (57 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 57;
            }

            y = (int)((n >> 56) & 1);
            n <<= 1;

            sp_2048_mont_mul_18(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 18 * 2);
            sp_2048_mont_sqr_18(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 18 * 2);
        }

        sp_2048_mont_reduce_18(t[0], m, mp);
        n = sp_2048_cmp_18(t[0], m);
        sp_2048_cond_sub_18(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 18 * 2);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[(32 * 36) + 36];
#endif
    sp_digit* t[32];
    sp_digit* rt = NULL;
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * ((32 * 36) + 36), NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<32; i++)
            t[i] = td + i * 36;
        rt = td + 1152;

        sp_2048_mont_setup(m, &mp);
        sp_2048_mont_norm_18(norm, m);

        if (reduceA != 0) {
            err = sp_2048_mod_18(t[1], a, m);
            if (err == MP_OKAY) {
                sp_2048_mul_18(t[1], t[1], norm);
                err = sp_2048_mod_18(t[1], t[1], m);
            }
        }
        else {
            sp_2048_mul_18(t[1], a, norm);
            err = sp_2048_mod_18(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        sp_2048_mont_sqr_18(t[ 2], t[ 1], m, mp);
        sp_2048_mont_mul_18(t[ 3], t[ 2], t[ 1], m, mp);
        sp_2048_mont_sqr_18(t[ 4], t[ 2], m, mp);
        sp_2048_mont_mul_18(t[ 5], t[ 3], t[ 2], m, mp);
        sp_2048_mont_sqr_18(t[ 6], t[ 3], m, mp);
        sp_2048_mont_mul_18(t[ 7], t[ 4], t[ 3], m, mp);
        sp_2048_mont_sqr_18(t[ 8], t[ 4], m, mp);
        sp_2048_mont_mul_18(t[ 9], t[ 5], t[ 4], m, mp);
        sp_2048_mont_sqr_18(t[10], t[ 5], m, mp);
        sp_2048_mont_mul_18(t[11], t[ 6], t[ 5], m, mp);
        sp_2048_mont_sqr_18(t[12], t[ 6], m, mp);
        sp_2048_mont_mul_18(t[13], t[ 7], t[ 6], m, mp);
        sp_2048_mont_sqr_18(t[14], t[ 7], m, mp);
        sp_2048_mont_mul_18(t[15], t[ 8], t[ 7], m, mp);
        sp_2048_mont_sqr_18(t[16], t[ 8], m, mp);
        sp_2048_mont_mul_18(t[17], t[ 9], t[ 8], m, mp);
        sp_2048_mont_sqr_18(t[18], t[ 9], m, mp);
        sp_2048_mont_mul_18(t[19], t[10], t[ 9], m, mp);
        sp_2048_mont_sqr_18(t[20], t[10], m, mp);
        sp_2048_mont_mul_18(t[21], t[11], t[10], m, mp);
        sp_2048_mont_sqr_18(t[22], t[11], m, mp);
        sp_2048_mont_mul_18(t[23], t[12], t[11], m, mp);
        sp_2048_mont_sqr_18(t[24], t[12], m, mp);
        sp_2048_mont_mul_18(t[25], t[13], t[12], m, mp);
        sp_2048_mont_sqr_18(t[26], t[13], m, mp);
        sp_2048_mont_mul_18(t[27], t[14], t[13], m, mp);
        sp_2048_mont_sqr_18(t[28], t[14], m, mp);
        sp_2048_mont_mul_18(t[29], t[15], t[14], m, mp);
        sp_2048_mont_sqr_18(t[30], t[15], m, mp);
        sp_2048_mont_mul_18(t[31], t[16], t[15], m, mp);

        bits = ((bits + 4) / 5) * 5;
        i = ((bits + 56) / 57) - 1;
        c = bits % 57;
        if (c == 0) {
            c = 57;
        }
        if (i < 18) {
            n = e[i--] << (64 - c);
        }
        else {
            n = 0;
            i--;
        }
        if (c < 5) {
            n |= e[i--] << (7 - c);
            c += 57;
        }
        y = (int)((n >> 59) & 0x1f);
        n <<= 5;
        c -= 5;
        XMEMCPY(rt, t[y], sizeof(sp_digit) * 36);
        while ((i >= 0) || (c >= 5)) {
            if (c >= 5) {
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c -= 5;
            }
            else if (c == 0) {
                n = e[i--] << 7;
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c = 52;
            }
            else {
                y = (byte)((n >> 59) & 0x1f);
                n = e[i--] << 7;
                c = 5 - c;
                y |= (byte)((n >> (64 - c)) & ((1 << c) - 1));
                n <<= c;
                c = 57 - c;
            }

            sp_2048_mont_sqr_18(rt, rt, m, mp);
            sp_2048_mont_sqr_18(rt, rt, m, mp);
            sp_2048_mont_sqr_18(rt, rt, m, mp);
            sp_2048_mont_sqr_18(rt, rt, m, mp);
            sp_2048_mont_sqr_18(rt, rt, m, mp);

            sp_2048_mont_mul_18(rt, rt, t[y], m, mp);
        }

        sp_2048_mont_reduce_18(rt, m, mp);
        n = sp_2048_cmp_18(rt, m);
        sp_2048_cond_sub_18(rt, rt, m, ~(n >> 63));
        XMEMCPY(r, rt, sizeof(sp_digit) * 36);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#endif
}

#endif /* (WOLFSSL_HAVE_SP_RSA & !WOLFSSL_RSA_PUBLIC_ONLY) | WOLFSSL_HAVE_SP_DH */

/* r = 2^n mod m where n is the number of bits to reduce by.
 * Given m must be 2048 bits, just need to subtract.
 *
 * r  A single precision number.
 * m  A single precision number.
 */
static void sp_2048_mont_norm_36(sp_digit* r, const sp_digit* m)
{
    /* Set r = 2^n - 1. */
    int i;

    for (i = 0; i < 32; i += 8) {
        r[i + 0] = 0x1ffffffffffffffL;
        r[i + 1] = 0x1ffffffffffffffL;
        r[i + 2] = 0x1ffffffffffffffL;
        r[i + 3] = 0x1ffffffffffffffL;
        r[i + 4] = 0x1ffffffffffffffL;
        r[i + 5] = 0x1ffffffffffffffL;
        r[i + 6] = 0x1ffffffffffffffL;
        r[i + 7] = 0x1ffffffffffffffL;
    }
    r[32] = 0x1ffffffffffffffL;
    r[33] = 0x1ffffffffffffffL;
    r[34] = 0x1ffffffffffffffL;
    r[35] = 0x1fffffffffffffL;

    /* r = (2^n - 1) mod n */
    (void)sp_2048_sub_36(r, r, m);

    /* Add one so r = 2^n mod m */
    r[0] += 1;
}

/* Compare a with b in constant time.
 *
 * a  A single precision integer.
 * b  A single precision integer.
 * return -ve, 0 or +ve if a is less than, equal to or greater than b
 * respectively.
 */
static sp_digit sp_2048_cmp_36(const sp_digit* a, const sp_digit* b)
{
    sp_digit r = 0;
    int i;

    r |= (a[35] - b[35]) & (0 - (sp_digit)1);
    r |= (a[34] - b[34]) & ~(((sp_digit)0 - r) >> 56);
    r |= (a[33] - b[33]) & ~(((sp_digit)0 - r) >> 56);
    r |= (a[32] - b[32]) & ~(((sp_digit)0 - r) >> 56);
    for (i = 24; i >= 0; i -= 8) {
        r |= (a[i + 7] - b[i + 7]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 6] - b[i + 6]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 5] - b[i + 5]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 4] - b[i + 4]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 3] - b[i + 3]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 2] - b[i + 2]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 1] - b[i + 1]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 0] - b[i + 0]) & ~(((sp_digit)0 - r) >> 56);
    }

    return r;
}

/* Conditionally subtract b from a using the mask m.
 * m is -1 to subtract and 0 when not.
 *
 * r  A single precision number representing condition subtract result.
 * a  A single precision number to subtract from.
 * b  A single precision number to subtract.
 * m  Mask value to apply.
 */
static void sp_2048_cond_sub_36(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 32; i += 8) {
        r[i + 0] = a[i + 0] - (b[i + 0] & m);
        r[i + 1] = a[i + 1] - (b[i + 1] & m);
        r[i + 2] = a[i + 2] - (b[i + 2] & m);
        r[i + 3] = a[i + 3] - (b[i + 3] & m);
        r[i + 4] = a[i + 4] - (b[i + 4] & m);
        r[i + 5] = a[i + 5] - (b[i + 5] & m);
        r[i + 6] = a[i + 6] - (b[i + 6] & m);
        r[i + 7] = a[i + 7] - (b[i + 7] & m);
    }
    r[32] = a[32] - (b[32] & m);
    r[33] = a[33] - (b[33] & m);
    r[34] = a[34] - (b[34] & m);
    r[35] = a[35] - (b[35] & m);
}

/* Mul a by scalar b and add into r. (r += a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_2048_mul_add_36(sp_digit* r, const sp_digit* a,
        const sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t[8];
    int i;

    t[0] = tb * a[0]; r[0] += (sp_digit)(t[0] & 0x1ffffffffffffffL);
    for (i = 0; i < 32; i += 8) {
        t[1] = tb * a[i+1];
        r[i+1] += (sp_digit)((t[0] >> 57) + (t[1] & 0x1ffffffffffffffL));
        t[2] = tb * a[i+2];
        r[i+2] += (sp_digit)((t[1] >> 57) + (t[2] & 0x1ffffffffffffffL));
        t[3] = tb * a[i+3];
        r[i+3] += (sp_digit)((t[2] >> 57) + (t[3] & 0x1ffffffffffffffL));
        t[4] = tb * a[i+4];
        r[i+4] += (sp_digit)((t[3] >> 57) + (t[4] & 0x1ffffffffffffffL));
        t[5] = tb * a[i+5];
        r[i+5] += (sp_digit)((t[4] >> 57) + (t[5] & 0x1ffffffffffffffL));
        t[6] = tb * a[i+6];
        r[i+6] += (sp_digit)((t[5] >> 57) + (t[6] & 0x1ffffffffffffffL));
        t[7] = tb * a[i+7];
        r[i+7] += (sp_digit)((t[6] >> 57) + (t[7] & 0x1ffffffffffffffL));
        t[0] = tb * a[i+8];
        r[i+8] += (sp_digit)((t[7] >> 57) + (t[0] & 0x1ffffffffffffffL));
    }
    t[1] = tb * a[33];
    r[33] += (sp_digit)((t[0] >> 57) + (t[1] & 0x1ffffffffffffffL));
    t[2] = tb * a[34];
    r[34] += (sp_digit)((t[1] >> 57) + (t[2] & 0x1ffffffffffffffL));
    t[3] = tb * a[35];
    r[35] += (sp_digit)((t[2] >> 57) + (t[3] & 0x1ffffffffffffffL));
    r[36] +=  (sp_digit)(t[3] >> 57);
}

/* Shift the result in the high 2048 bits down to the bottom.
 *
 * r  A single precision number.
 * a  A single precision number.
 */
static void sp_2048_mont_shift_36(sp_digit* r, const sp_digit* a)
{
    sp_digit n;
    sp_digit s;
    int i;

    s = a[36]; n = a[35] >> 53;
    for (i = 0; i < 32; i += 8) {
        n += (s & 0x1ffffffffffffffL) << 4; r[i+0] = n & 0x1ffffffffffffffL;
        n >>= 57; s = a[i+37] + (s >> 57);
        n += (s & 0x1ffffffffffffffL) << 4; r[i+1] = n & 0x1ffffffffffffffL;
        n >>= 57; s = a[i+38] + (s >> 57);
        n += (s & 0x1ffffffffffffffL) << 4; r[i+2] = n & 0x1ffffffffffffffL;
        n >>= 57; s = a[i+39] + (s >> 57);
        n += (s & 0x1ffffffffffffffL) << 4; r[i+3] = n & 0x1ffffffffffffffL;
        n >>= 57; s = a[i+40] + (s >> 57);
        n += (s & 0x1ffffffffffffffL) << 4; r[i+4] = n & 0x1ffffffffffffffL;
        n >>= 57; s = a[i+41] + (s >> 57);
        n += (s & 0x1ffffffffffffffL) << 4; r[i+5] = n & 0x1ffffffffffffffL;
        n >>= 57; s = a[i+42] + (s >> 57);
        n += (s & 0x1ffffffffffffffL) << 4; r[i+6] = n & 0x1ffffffffffffffL;
        n >>= 57; s = a[i+43] + (s >> 57);
        n += (s & 0x1ffffffffffffffL) << 4; r[i+7] = n & 0x1ffffffffffffffL;
        n >>= 57; s = a[i+44] + (s >> 57);
    }
    n += (s & 0x1ffffffffffffffL) << 4; r[32] = n & 0x1ffffffffffffffL;
    n >>= 57; s = a[69] + (s >> 57);
    n += (s & 0x1ffffffffffffffL) << 4; r[33] = n & 0x1ffffffffffffffL;
    n >>= 57; s = a[70] + (s >> 57);
    n += (s & 0x1ffffffffffffffL) << 4; r[34] = n & 0x1ffffffffffffffL;
    n >>= 57; s = a[71] + (s >> 57);
    n += s << 4;              r[35] = n;
    XMEMSET(&r[36], 0, sizeof(*r) * 36U);
}

/* Reduce the number back to 2048 bits using Montgomery reduction.
 *
 * a   A single precision number to reduce in place.
 * m   The single precision number representing the modulus.
 * mp  The digit representing the negative inverse of m mod 2^n.
 */
static void sp_2048_mont_reduce_36(sp_digit* a, const sp_digit* m, sp_digit mp)
{
    int i;
    sp_digit mu;
    sp_digit over;

    sp_2048_norm_36(a + 36);

#ifdef WOLFSSL_SP_DH
    if (mp != 1) {
        for (i=0; i<35; i++) {
            mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x1ffffffffffffffL;
            sp_2048_mul_add_36(a+i, m, mu);
            a[i+1] += a[i] >> 57;
        }
        mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x1fffffffffffffL;
        sp_2048_mul_add_36(a+i, m, mu);
        a[i+1] += a[i] >> 57;
        a[i] &= 0x1ffffffffffffffL;
    }
    else {
        for (i=0; i<35; i++) {
            mu = a[i] & 0x1ffffffffffffffL;
            sp_2048_mul_add_36(a+i, m, mu);
            a[i+1] += a[i] >> 57;
        }
        mu = a[i] & 0x1fffffffffffffL;
        sp_2048_mul_add_36(a+i, m, mu);
        a[i+1] += a[i] >> 57;
        a[i] &= 0x1ffffffffffffffL;
    }
#else
    for (i=0; i<35; i++) {
        mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x1ffffffffffffffL;
        sp_2048_mul_add_36(a+i, m, mu);
        a[i+1] += a[i] >> 57;
    }
    mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x1fffffffffffffL;
    sp_2048_mul_add_36(a+i, m, mu);
    a[i+1] += a[i] >> 57;
    a[i] &= 0x1ffffffffffffffL;
#endif
    sp_2048_mont_shift_36(a, a);
    over = a[35] - m[35];
    sp_2048_cond_sub_36(a, a, m, ~((over - 1) >> 63));
    sp_2048_norm_36(a);
}

/* Multiply two Montgomery form numbers mod the modulus (prime).
 * (r = a * b mod m)
 *
 * r   Result of multiplication.
 * a   First number to multiply in Montgomery form.
 * b   Second number to multiply in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_2048_mont_mul_36(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit* m, sp_digit mp)
{
    sp_2048_mul_36(r, a, b);
    sp_2048_mont_reduce_36(r, m, mp);
}

/* Square the Montgomery form number. (r = a * a mod m)
 *
 * r   Result of squaring.
 * a   Number to square in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_2048_mont_sqr_36(sp_digit* r, const sp_digit* a,
        const sp_digit* m, sp_digit mp)
{
    sp_2048_sqr_36(r, a);
    sp_2048_mont_reduce_36(r, m, mp);
}

/* Multiply a by scalar b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_2048_mul_d_72(sp_digit* r, const sp_digit* a,
    sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t = 0;
    sp_digit t2;
    sp_int128 p[4];
    int i;

    for (i = 0; i < 72; i += 4) {
        p[0] = tb * a[i + 0];
        p[1] = tb * a[i + 1];
        p[2] = tb * a[i + 2];
        p[3] = tb * a[i + 3];
        t += p[0];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 0] = (sp_digit)t2;
        t += p[1];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 1] = (sp_digit)t2;
        t += p[2];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 2] = (sp_digit)t2;
        t += p[3];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 3] = (sp_digit)t2;
    }
    r[72] = (sp_digit)(t & 0x1ffffffffffffffL);
}

#ifndef WOLFSSL_SP_SMALL
/* Conditionally add a and b using the mask m.
 * m is -1 to add and 0 when not.
 *
 * r  A single precision number representing conditional add result.
 * a  A single precision number to add with.
 * b  A single precision number to add.
 * m  Mask value to apply.
 */
static void sp_2048_cond_add_36(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 32; i += 8) {
        r[i + 0] = a[i + 0] + (b[i + 0] & m);
        r[i + 1] = a[i + 1] + (b[i + 1] & m);
        r[i + 2] = a[i + 2] + (b[i + 2] & m);
        r[i + 3] = a[i + 3] + (b[i + 3] & m);
        r[i + 4] = a[i + 4] + (b[i + 4] & m);
        r[i + 5] = a[i + 5] + (b[i + 5] & m);
        r[i + 6] = a[i + 6] + (b[i + 6] & m);
        r[i + 7] = a[i + 7] + (b[i + 7] & m);
    }
    r[32] = a[32] + (b[32] & m);
    r[33] = a[33] + (b[33] & m);
    r[34] = a[34] + (b[34] & m);
    r[35] = a[35] + (b[35] & m);
}
#endif /* !WOLFSSL_SP_SMALL */

SP_NOINLINE static void sp_2048_rshift_36(sp_digit* r, const sp_digit* a,
        byte n)
{
    int i;

    for (i=0; i<32; i += 8) {
        r[i+0] = (a[i+0] >> n) | ((a[i+1] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+1] = (a[i+1] >> n) | ((a[i+2] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+2] = (a[i+2] >> n) | ((a[i+3] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+3] = (a[i+3] >> n) | ((a[i+4] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+4] = (a[i+4] >> n) | ((a[i+5] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+5] = (a[i+5] >> n) | ((a[i+6] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+6] = (a[i+6] >> n) | ((a[i+7] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+7] = (a[i+7] >> n) | ((a[i+8] << (57 - n)) & 0x1ffffffffffffffL);
    }
    r[32] = (a[32] >> n) | ((a[33] << (57 - n)) & 0x1ffffffffffffffL);
    r[33] = (a[33] >> n) | ((a[34] << (57 - n)) & 0x1ffffffffffffffL);
    r[34] = (a[34] >> n) | ((a[35] << (57 - n)) & 0x1ffffffffffffffL);
    r[35] = a[35] >> n;
}

static WC_INLINE sp_digit sp_2048_div_word_36(sp_digit d1, sp_digit d0,
    sp_digit div)
{
#ifdef SP_USE_DIVTI3
    sp_int128 d = ((sp_int128)d1 << 57) + d0;

    return d / div;
#elif defined(__x86_64__) || defined(__i386__)
    sp_int128 d = ((sp_int128)d1 << 57) + d0;
    sp_uint64 lo = (sp_uint64)d;
    sp_digit hi = (sp_digit)(d >> 64);

    __asm__ __volatile__ (
        "idiv %2"
        : "+a" (lo)
        : "d" (hi), "r" (div)
        : "cc"
    );

    return (sp_digit)lo;
#elif !defined(__aarch64__) &&  !defined(SP_DIV_WORD_USE_DIV)
    sp_int128 d = ((sp_int128)d1 << 57) + d0;
    sp_digit dv = (div >> 1) + 1;
    sp_digit t1 = (sp_digit)(d >> 57);
    sp_digit t0 = (sp_digit)(d & 0x1ffffffffffffffL);
    sp_digit t2;
    sp_digit sign;
    sp_digit r;
    int i;
    sp_int128 m;

    r = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
    t1 -= dv & (0 - r);
    for (i = 55; i >= 1; i--) {
        t1 += t1 + (((sp_uint64)t0 >> 56) & 1);
        t0 <<= 1;
        t2 = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
        r += r + t2;
        t1 -= dv & (0 - t2);
        t1 += t2;
    }
    r += r + 1;

    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 57);
    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 114) - (sp_digit)(d >> 114);

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;
   return r;
#else
    sp_int128 d = ((sp_int128)d1 << 57) + d0;
    sp_digit r = 0;
    sp_digit t;
    sp_digit dv = (div >> 26) + 1;

    t = (sp_digit)(d >> 52);
    t = (t / dv) << 26;
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)(d >> 21);
    t = t / (dv << 5);
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)d;
    t = t / div;
    r += t;
    d -= (sp_int128)t * div;
    return r;
#endif
}
static WC_INLINE sp_digit sp_2048_word_div_word_36(sp_digit d, sp_digit div)
{
#if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__) || \
    defined(SP_DIV_WORD_USE_DIV)
    return d / div;
#else
    return (sp_digit)((sp_uint64)(div - d) >> 63);
#endif
}
/* Divide d in a and put remainder into r (m*d + r = a)
 * m is not calculated as it is not needed at this time.
 *
 * Full implementation.
 *
 * a  Number to be divided.
 * d  Number to divide with.
 * m  Multiplier result.
 * r  Remainder from the division.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_2048_div_36(const sp_digit* a, const sp_digit* d,
        const sp_digit* m, sp_digit* r)
{
    int i;
#ifndef WOLFSSL_SP_DIV_64
#endif
    sp_digit dv;
    sp_digit r1;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* t1 = NULL;
#else
    sp_digit t1[4 * 36 + 3];
#endif
    sp_digit* t2 = NULL;
    sp_digit* sd = NULL;
    int err = MP_OKAY;

    (void)m;

#ifdef WOLFSSL_SP_SMALL_STACK
    t1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * (4 * 36 + 3), NULL,
                                                       DYNAMIC_TYPE_TMP_BUFFER);
    if (t1 == NULL)
        err = MEMORY_E;
#endif

    (void)m;

    if (err == MP_OKAY) {
        t2 = t1 + 72 + 1;
        sd = t2 + 36 + 1;

        sp_2048_mul_d_36(sd, d, (sp_digit)1 << 4);
        sp_2048_mul_d_72(t1, a, (sp_digit)1 << 4);
        dv = sd[35];
        t1[36 + 36] += t1[36 + 36 - 1] >> 57;
        t1[36 + 36 - 1] &= 0x1ffffffffffffffL;
        for (i=36; i>=0; i--) {
            r1 = sp_2048_div_word_36(t1[36 + i], t1[36 + i - 1], dv);

            sp_2048_mul_d_36(t2, sd, r1);
            (void)sp_2048_sub_36(&t1[i], &t1[i], t2);
            sp_2048_norm_36(&t1[i]);
            t1[36 + i] -= t2[36];
            t1[36 + i] += t1[36 + i - 1] >> 57;
            t1[36 + i - 1] &= 0x1ffffffffffffffL;
            r1 = sp_2048_div_word_36(-t1[36 + i], -t1[36 + i - 1], dv);
            r1 -= t1[36 + i];
            sp_2048_mul_d_36(t2, sd, r1);
            (void)sp_2048_add_36(&t1[i], &t1[i], t2);
            t1[36 + i] += t1[36 + i - 1] >> 57;
            t1[36 + i - 1] &= 0x1ffffffffffffffL;
        }
        t1[36 - 1] += t1[36 - 2] >> 57;
        t1[36 - 2] &= 0x1ffffffffffffffL;
        r1 = sp_2048_word_div_word_36(t1[36 - 1], dv);

        sp_2048_mul_d_36(t2, sd, r1);
        sp_2048_sub_36(t1, t1, t2);
        XMEMCPY(r, t1, sizeof(*r) * 72U);
        for (i=0; i<35; i++) {
            r[i+1] += r[i] >> 57;
            r[i] &= 0x1ffffffffffffffL;
        }
        sp_2048_cond_add_36(r, r, sd, r[35] >> 63);

        sp_2048_norm_36(r);
        sp_2048_rshift_36(r, r, 4);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t1 != NULL)
        XFREE(t1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
}

/* Reduce a modulo m into r. (r = a mod m)
 *
 * r  A single precision number that is the reduced result.
 * a  A single precision number that is to be reduced.
 * m  A single precision number that is the modulus to reduce with.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_2048_mod_36(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    return sp_2048_div_36(a, m, NULL, r);
}

#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(WOLFSSL_HAVE_SP_DH)
#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
                                                     defined(WOLFSSL_HAVE_SP_DH)
/* Modular exponentiate a to the e mod m. (r = a^e mod m)
 *
 * r     A single precision number that is the result of the operation.
 * a     A single precision number being exponentiated.
 * e     A single precision number that is the exponent.
 * bits  The number of bits in the exponent.
 * m     A single precision number that is the modulus.
 * returns  0 on success.
 * returns  MEMORY_E on dynamic memory allocation failure.
 * returns  MP_VAL when base is even or exponent is 0.
 */
static int sp_2048_mod_exp_36(sp_digit* r, const sp_digit* a, const sp_digit* e,
    int bits, const sp_digit* m, int reduceA)
{
#if defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_FAST_MODEXP)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 72];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 36 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 36 * 2);
            XMEMSET(t[i], 0, sizeof(sp_digit) * 36U * 2U);
        }

        sp_2048_mont_setup(m, &mp);
        sp_2048_mont_norm_36(norm, m);

        if (reduceA != 0) {
            err = sp_2048_mod_36(t[1], a, m);
        }
        else {
            XMEMCPY(t[1], a, sizeof(sp_digit) * 36U);
        }
    }
    if (err == MP_OKAY) {
        sp_2048_mul_36(t[1], t[1], norm);
        err = sp_2048_mod_36(t[1], t[1], m);
    }

    if (err == MP_OKAY) {
        i = bits / 57;
        c = bits % 57;
        n = e[i--] << (57 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 57;
            }

            y = (int)((n >> 56) & 1);
            n <<= 1;

            sp_2048_mont_mul_36(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 36 * 2);
            sp_2048_mont_sqr_36(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 36 * 2);
        }

        sp_2048_mont_reduce_36(t[0], m, mp);
        n = sp_2048_cmp_36(t[0], m);
        sp_2048_cond_sub_36(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 36 * 2);

    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#elif !defined(WC_NO_CACHE_RESISTANT)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 72];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 36 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 36 * 2);
        }

        sp_2048_mont_setup(m, &mp);
        sp_2048_mont_norm_36(norm, m);

        if (reduceA != 0) {
            err = sp_2048_mod_36(t[1], a, m);
            if (err == MP_OKAY) {
                sp_2048_mul_36(t[1], t[1], norm);
                err = sp_2048_mod_36(t[1], t[1], m);
            }
        }
        else {
            sp_2048_mul_36(t[1], a, norm);
            err = sp_2048_mod_36(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        i = bits / 57;
        c = bits % 57;
        n = e[i--] << (57 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 57;
            }

            y = (int)((n >> 56) & 1);
            n <<= 1;

            sp_2048_mont_mul_36(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 36 * 2);
            sp_2048_mont_sqr_36(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 36 * 2);
        }

        sp_2048_mont_reduce_36(t[0], m, mp);
        n = sp_2048_cmp_36(t[0], m);
        sp_2048_cond_sub_36(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 36 * 2);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[(16 * 72) + 72];
#endif
    sp_digit* t[16];
    sp_digit* rt = NULL;
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * ((16 * 72) + 72), NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<16; i++)
            t[i] = td + i * 72;
        rt = td + 1152;

        sp_2048_mont_setup(m, &mp);
        sp_2048_mont_norm_36(norm, m);

        if (reduceA != 0) {
            err = sp_2048_mod_36(t[1], a, m);
            if (err == MP_OKAY) {
                sp_2048_mul_36(t[1], t[1], norm);
                err = sp_2048_mod_36(t[1], t[1], m);
            }
        }
        else {
            sp_2048_mul_36(t[1], a, norm);
            err = sp_2048_mod_36(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        sp_2048_mont_sqr_36(t[ 2], t[ 1], m, mp);
        sp_2048_mont_mul_36(t[ 3], t[ 2], t[ 1], m, mp);
        sp_2048_mont_sqr_36(t[ 4], t[ 2], m, mp);
        sp_2048_mont_mul_36(t[ 5], t[ 3], t[ 2], m, mp);
        sp_2048_mont_sqr_36(t[ 6], t[ 3], m, mp);
        sp_2048_mont_mul_36(t[ 7], t[ 4], t[ 3], m, mp);
        sp_2048_mont_sqr_36(t[ 8], t[ 4], m, mp);
        sp_2048_mont_mul_36(t[ 9], t[ 5], t[ 4], m, mp);
        sp_2048_mont_sqr_36(t[10], t[ 5], m, mp);
        sp_2048_mont_mul_36(t[11], t[ 6], t[ 5], m, mp);
        sp_2048_mont_sqr_36(t[12], t[ 6], m, mp);
        sp_2048_mont_mul_36(t[13], t[ 7], t[ 6], m, mp);
        sp_2048_mont_sqr_36(t[14], t[ 7], m, mp);
        sp_2048_mont_mul_36(t[15], t[ 8], t[ 7], m, mp);

        bits = ((bits + 3) / 4) * 4;
        i = ((bits + 56) / 57) - 1;
        c = bits % 57;
        if (c == 0) {
            c = 57;
        }
        if (i < 36) {
            n = e[i--] << (64 - c);
        }
        else {
            n = 0;
            i--;
        }
        if (c < 4) {
            n |= e[i--] << (7 - c);
            c += 57;
        }
        y = (int)((n >> 60) & 0xf);
        n <<= 4;
        c -= 4;
        XMEMCPY(rt, t[y], sizeof(sp_digit) * 72);
        while ((i >= 0) || (c >= 4)) {
            if (c >= 4) {
                y = (byte)((n >> 60) & 0xf);
                n <<= 4;
                c -= 4;
            }
            else if (c == 0) {
                n = e[i--] << 7;
                y = (byte)((n >> 60) & 0xf);
                n <<= 4;
                c = 53;
            }
            else {
                y = (byte)((n >> 60) & 0xf);
                n = e[i--] << 7;
                c = 4 - c;
                y |= (byte)((n >> (64 - c)) & ((1 << c) - 1));
                n <<= c;
                c = 57 - c;
            }

            sp_2048_mont_sqr_36(rt, rt, m, mp);
            sp_2048_mont_sqr_36(rt, rt, m, mp);
            sp_2048_mont_sqr_36(rt, rt, m, mp);
            sp_2048_mont_sqr_36(rt, rt, m, mp);

            sp_2048_mont_mul_36(rt, rt, t[y], m, mp);
        }

        sp_2048_mont_reduce_36(rt, m, mp);
        n = sp_2048_cmp_36(rt, m);
        sp_2048_cond_sub_36(rt, rt, m, ~(n >> 63));
        XMEMCPY(r, rt, sizeof(sp_digit) * 72);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#endif
}
#endif /* (WOLFSSL_HAVE_SP_RSA & !WOLFSSL_RSA_PUBLIC_ONLY) || */
       /* WOLFSSL_HAVE_SP_DH */

#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
#ifdef WOLFSSL_HAVE_SP_RSA
/* RSA public key operation.
 *
 * in      Array of bytes representing the number to exponentiate, base.
 * inLen   Number of bytes in base.
 * em      Public exponent.
 * mm      Modulus.
 * out     Buffer to hold big-endian bytes of exponentiation result.
 *         Must be at least 256 bytes long.
 * outLen  Number of bytes in result.
 * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
 * an array is too long and MEMORY_E when dynamic memory allocation fails.
 */
int sp_RsaPublic_2048(const byte* in, word32 inLen, const mp_int* em,
    const mp_int* mm, byte* out, word32* outLen)
{
#ifdef WOLFSSL_SP_SMALL
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* a = NULL;
#else
    sp_digit a[36 * 5];
#endif
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    sp_digit* norm = NULL;
    sp_uint64 e[1] = {0};
    sp_digit mp = 0;
    int i;
    int err = MP_OKAY;

    if (*outLen < 256U) {
        err = MP_TO_E;
    }

    if (err == MP_OKAY) {
        if (mp_count_bits(em) > 64) {
            err = MP_READ_E;
        }
        else if (inLen > 256U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 2048) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        a = (sp_digit*)XMALLOC(sizeof(sp_digit) * 36 * 5, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (a == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        r = a + 36 * 2;
        m = r + 36 * 2;
        norm = r;

        sp_2048_from_bin(a, 36, in, inLen);
#if DIGIT_BIT >= 64
        e[0] = (sp_uint64)em->dp[0];
#else
        e[0] = (sp_uint64)em->dp[0];
        if (em->used > 1) {
            e[0] |= ((sp_uint64)em->dp[1]) << DIGIT_BIT;
        }
#endif
        if (e[0] == 0) {
            err = MP_EXPTMOD_E;
        }
    }

    if (err == MP_OKAY) {
        sp_2048_from_mp(m, 36, mm);

        sp_2048_mont_setup(m, &mp);
        sp_2048_mont_norm_36(norm, m);
    }
    if (err == MP_OKAY) {
        sp_2048_mul_36(a, a, norm);
        err = sp_2048_mod_36(a, a, m);
    }
    if (err == MP_OKAY) {
        for (i=63; i>=0; i--) {
            if ((e[0] >> i) != 0) {
                break;
            }
        }

        XMEMCPY(r, a, sizeof(sp_digit) * 36 * 2);
        for (i--; i>=0; i--) {
            sp_2048_mont_sqr_36(r, r, m, mp);

            if (((e[0] >> i) & 1) == 1) {
                sp_2048_mont_mul_36(r, r, a, m, mp);
            }
        }
        sp_2048_mont_reduce_36(r, m, mp);
        mp = sp_2048_cmp_36(r, m);
        sp_2048_cond_sub_36(r, r, m, ~(mp >> 63));

        sp_2048_to_bin_36(r, out);
        *outLen = 256;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (a != NULL)
        XFREE(a, NULL, DYNAMIC_TYPE_RSA);
#endif

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* d = NULL;
#else
    sp_digit d[36 * 5];
#endif
    sp_digit* a = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    sp_uint64 e[1] = {0};
    int err = MP_OKAY;

    if (*outLen < 256U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (mp_count_bits(em) > 64) {
            err = MP_READ_E;
        }
        else if (inLen > 256U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 2048) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 36 * 5, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (d == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        a = d;
        r = a + 36 * 2;
        m = r + 36 * 2;

        sp_2048_from_bin(a, 36, in, inLen);
#if DIGIT_BIT >= 64
        e[0] = (sp_uint64)em->dp[0];
#else
        e[0] = (sp_uint64)em->dp[0];
        if (em->used > 1) {
            e[0] |= ((sp_uint64)em->dp[1]) << DIGIT_BIT;
        }
#endif
        if (e[0] == 0) {
            err = MP_EXPTMOD_E;
        }
    }
    if (err == MP_OKAY) {
        sp_2048_from_mp(m, 36, mm);

        if (e[0] == 0x3) {
            sp_2048_sqr_36(r, a);
            err = sp_2048_mod_36(r, r, m);
            if (err == MP_OKAY) {
                sp_2048_mul_36(r, a, r);
                err = sp_2048_mod_36(r, r, m);
            }
        }
        else {
            sp_digit* norm = r;
            int i;
            sp_digit mp;

            sp_2048_mont_setup(m, &mp);
            sp_2048_mont_norm_36(norm, m);

            sp_2048_mul_36(a, a, norm);
            err = sp_2048_mod_36(a, a, m);

            if (err == MP_OKAY) {
                for (i=63; i>=0; i--) {
                    if ((e[0] >> i) != 0) {
                        break;
                    }
                }

                XMEMCPY(r, a, sizeof(sp_digit) * 72U);
                for (i--; i>=0; i--) {
                    sp_2048_mont_sqr_36(r, r, m, mp);

                    if (((e[0] >> i) & 1) == 1) {
                        sp_2048_mont_mul_36(r, r, a, m, mp);
                    }
                }
                sp_2048_mont_reduce_36(r, m, mp);
                mp = sp_2048_cmp_36(r, m);
                sp_2048_cond_sub_36(r, r, m, ~(mp >> 63));
            }
        }
    }

    if (err == MP_OKAY) {
        sp_2048_to_bin_36(r, out);
        *outLen = 256;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (d != NULL)
        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
#endif

    return err;
#endif /* WOLFSSL_SP_SMALL */
}

#ifndef WOLFSSL_RSA_PUBLIC_ONLY
#if !defined(SP_RSA_PRIVATE_EXP_D) && !defined(RSA_LOW_MEM)
#endif /* !SP_RSA_PRIVATE_EXP_D & !RSA_LOW_MEM */
/* RSA private key operation.
 *
 * in      Array of bytes representing the number to exponentiate, base.
 * inLen   Number of bytes in base.
 * dm      Private exponent.
 * pm      First prime.
 * qm      Second prime.
 * dpm     First prime's CRT exponent.
 * dqm     Second prime's CRT exponent.
 * qim     Inverse of second prime mod p.
 * mm      Modulus.
 * out     Buffer to hold big-endian bytes of exponentiation result.
 *         Must be at least 256 bytes long.
 * outLen  Number of bytes in result.
 * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
 * an array is too long and MEMORY_E when dynamic memory allocation fails.
 */
int sp_RsaPrivate_2048(const byte* in, word32 inLen, const mp_int* dm,
    const mp_int* pm, const mp_int* qm, const mp_int* dpm, const mp_int* dqm,
    const mp_int* qim, const mp_int* mm, byte* out, word32* outLen)
{
#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
#if defined(WOLFSSL_SP_SMALL)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* d = NULL;
#else
    sp_digit  d[36 * 4];
#endif
    sp_digit* a = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)pm;
    (void)qm;
    (void)dpm;
    (void)dqm;
    (void)qim;

    if (*outLen < 256U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (mp_count_bits(dm) > 2048) {
           err = MP_READ_E;
        }
        else if (inLen > 256) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 2048) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 36 * 4, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (d == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        a = d + 36;
        m = a + 72;
        r = a;

        sp_2048_from_bin(a, 36, in, inLen);
        sp_2048_from_mp(d, 36, dm);
        sp_2048_from_mp(m, 36, mm);
        err = sp_2048_mod_exp_36(r, a, d, 2048, m, 0);
    }

    if (err == MP_OKAY) {
        sp_2048_to_bin_36(r, out);
        *outLen = 256;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (d != NULL)
#endif
    {
        /* only "a" and "r" are sensitive and need zeroized (same pointer) */
        if (a != NULL)
            ForceZero(a, sizeof(sp_digit) * 36);
#ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
#endif
    }

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* d = NULL;
#else
    sp_digit d[36 * 4];
#endif
    sp_digit* a = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)pm;
    (void)qm;
    (void)dpm;
    (void)dqm;
    (void)qim;

    if (*outLen < 256U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (mp_count_bits(dm) > 2048) {
            err = MP_READ_E;
        }
        else if (inLen > 256U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 2048) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 36 * 4, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (d == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        a = d + 36;
        m = a + 72;
        r = a;

        sp_2048_from_bin(a, 36, in, inLen);
        sp_2048_from_mp(d, 36, dm);
        sp_2048_from_mp(m, 36, mm);
        err = sp_2048_mod_exp_36(r, a, d, 2048, m, 0);
    }

    if (err == MP_OKAY) {
        sp_2048_to_bin_36(r, out);
        *outLen = 256;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (d != NULL)
#endif
    {
        /* only "a" and "r" are sensitive and need zeroized (same pointer) */
        if (a != NULL)
            ForceZero(a, sizeof(sp_digit) * 36);
#ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
#endif
    }

    return err;
#endif /* WOLFSSL_SP_SMALL */
#else
#if defined(WOLFSSL_SP_SMALL)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* a = NULL;
#else
    sp_digit a[18 * 8];
#endif
    sp_digit* p = NULL;
    sp_digit* dp = NULL;
    sp_digit* dq = NULL;
    sp_digit* qi = NULL;
    sp_digit* tmpa = NULL;
    sp_digit* tmpb = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)dm;
    (void)mm;

    if (*outLen < 256U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (inLen > 256) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 2048) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(pm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(qm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        a = (sp_digit*)XMALLOC(sizeof(sp_digit) * 18 * 8, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (a == NULL)
            err = MEMORY_E;
    }
#endif
    if (err == MP_OKAY) {
        p = a + 36;
        qi = dq = dp = p + 18;
        tmpa = qi + 18;
        tmpb = tmpa + 36;
        r = a;

        sp_2048_from_bin(a, 36, in, inLen);
        sp_2048_from_mp(p, 18, pm);
        sp_2048_from_mp(dp, 18, dpm);
        err = sp_2048_mod_exp_18(tmpa, a, dp, 1024, p, 1);
    }
    if (err == MP_OKAY) {
        sp_2048_from_mp(p, 18, qm);
        sp_2048_from_mp(dq, 18, dqm);
        err = sp_2048_mod_exp_18(tmpb, a, dq, 1024, p, 1);
    }
    if (err == MP_OKAY) {
        sp_2048_from_mp(p, 18, pm);
        (void)sp_2048_sub_18(tmpa, tmpa, tmpb);
        sp_2048_norm_18(tmpa);
        sp_2048_cond_add_18(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[17] >> 63));
        sp_2048_cond_add_18(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[17] >> 63));
        sp_2048_norm_18(tmpa);

        sp_2048_from_mp(qi, 18, qim);
        sp_2048_mul_18(tmpa, tmpa, qi);
        err = sp_2048_mod_18(tmpa, tmpa, p);
    }

    if (err == MP_OKAY) {
        sp_2048_from_mp(p, 18, qm);
        sp_2048_mul_18(tmpa, p, tmpa);
        (void)sp_2048_add_36(r, tmpb, tmpa);
        sp_2048_norm_36(r);

        sp_2048_to_bin_36(r, out);
        *outLen = 256;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (a != NULL)
#endif
    {
        ForceZero(a, sizeof(sp_digit) * 18 * 8);
#ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(a, NULL, DYNAMIC_TYPE_RSA);
#endif
    }

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* a = NULL;
#else
    sp_digit a[18 * 13];
#endif
    sp_digit* p = NULL;
    sp_digit* q = NULL;
    sp_digit* dp = NULL;
    sp_digit* dq = NULL;
    sp_digit* qi = NULL;
    sp_digit* tmpa = NULL;
    sp_digit* tmpb = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)dm;
    (void)mm;

    if (*outLen < 256U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (inLen > 256U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 2048) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(pm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(qm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        a = (sp_digit*)XMALLOC(sizeof(sp_digit) * 18 * 13, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (a == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        p = a + 36 * 2;
        q = p + 18;
        dp = q + 18;
        dq = dp + 18;
        qi = dq + 18;
        tmpa = qi + 18;
        tmpb = tmpa + 36;
        r = a;

        sp_2048_from_bin(a, 36, in, inLen);
        sp_2048_from_mp(p, 18, pm);
        sp_2048_from_mp(q, 18, qm);
        sp_2048_from_mp(dp, 18, dpm);
        sp_2048_from_mp(dq, 18, dqm);
        sp_2048_from_mp(qi, 18, qim);

        err = sp_2048_mod_exp_18(tmpa, a, dp, 1024, p, 1);
    }
    if (err == MP_OKAY) {
        err = sp_2048_mod_exp_18(tmpb, a, dq, 1024, q, 1);
    }

    if (err == MP_OKAY) {
        (void)sp_2048_sub_18(tmpa, tmpa, tmpb);
        sp_2048_norm_18(tmpa);
        sp_2048_cond_add_18(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[17] >> 63));
        sp_2048_cond_add_18(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[17] >> 63));
        sp_2048_norm_18(tmpa);
        sp_2048_mul_18(tmpa, tmpa, qi);
        err = sp_2048_mod_18(tmpa, tmpa, p);
    }

    if (err == MP_OKAY) {
        sp_2048_mul_18(tmpa, tmpa, q);
        (void)sp_2048_add_36(r, tmpb, tmpa);
        sp_2048_norm_36(r);

        sp_2048_to_bin_36(r, out);
        *outLen = 256;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
if (a != NULL)
#endif
    {
        ForceZero(a, sizeof(sp_digit) * 18 * 13);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(a, NULL, DYNAMIC_TYPE_RSA);
    #endif
    }

    return err;
#endif /* WOLFSSL_SP_SMALL */
#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
}

#endif /* !WOLFSSL_RSA_PUBLIC_ONLY */
#endif /* WOLFSSL_HAVE_SP_RSA */
#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
/* Convert an array of sp_digit to an mp_int.
 *
 * a  A single precision integer.
 * r  A multi-precision integer.
 */
static int sp_2048_to_mp(const sp_digit* a, mp_int* r)
{
    int err;

    err = mp_grow(r, (2048 + DIGIT_BIT - 1) / DIGIT_BIT);
    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
#if DIGIT_BIT == 57
        XMEMCPY(r->dp, a, sizeof(sp_digit) * 36);
        r->used = 36;
        mp_clamp(r);
#elif DIGIT_BIT < 57
        int i;
        int j = 0;
        int s = 0;

        r->dp[0] = 0;
        for (i = 0; i < 36; i++) {
            r->dp[j] |= (mp_digit)(a[i] << s);
            r->dp[j] &= ((sp_digit)1 << DIGIT_BIT) - 1;
            s = DIGIT_BIT - s;
            r->dp[++j] = (mp_digit)(a[i] >> s);
            while (s + DIGIT_BIT <= 57) {
                s += DIGIT_BIT;
                r->dp[j++] &= ((sp_digit)1 << DIGIT_BIT) - 1;
                if (s == SP_WORD_SIZE) {
                    r->dp[j] = 0;
                }
                else {
                    r->dp[j] = (mp_digit)(a[i] >> s);
                }
            }
            s = 57 - s;
        }
        r->used = (2048 + DIGIT_BIT - 1) / DIGIT_BIT;
        mp_clamp(r);
#else
        int i;
        int j = 0;
        int s = 0;

        r->dp[0] = 0;
        for (i = 0; i < 36; i++) {
            r->dp[j] |= ((mp_digit)a[i]) << s;
            if (s + 57 >= DIGIT_BIT) {
    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
                r->dp[j] &= ((sp_digit)1 << DIGIT_BIT) - 1;
    #endif
                s = DIGIT_BIT - s;
                r->dp[++j] = a[i] >> s;
                s = 57 - s;
            }
            else {
                s += 57;
            }
        }
        r->used = (2048 + DIGIT_BIT - 1) / DIGIT_BIT;
        mp_clamp(r);
#endif
    }

    return err;
}

/* Perform the modular exponentiation for Diffie-Hellman.
 *
 * base  Base. MP integer.
 * exp   Exponent. MP integer.
 * mod   Modulus. MP integer.
 * res   Result. MP integer.
 * returns 0 on success, MP_READ_E if there are too many bytes in an array
 * and MEMORY_E if memory allocation fails.
 */
int sp_ModExp_2048(const mp_int* base, const mp_int* exp, const mp_int* mod,
    mp_int* res)
{
#ifdef WOLFSSL_SP_SMALL
    int err = MP_OKAY;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[36 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int expBits = mp_count_bits(exp);

    if (mp_count_bits(base) > 2048) {
        err = MP_READ_E;
    }
    else if (expBits > 2048) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 2048) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 36 * 4, NULL,
            DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 36 * 2;
        m = e + 36;
        r = b;

        sp_2048_from_mp(b, 36, base);
        sp_2048_from_mp(e, 36, exp);
        sp_2048_from_mp(m, 36, mod);

        err = sp_2048_mod_exp_36(r, b, e, mp_count_bits(exp), m, 0);
    }

    if (err == MP_OKAY) {
        err = sp_2048_to_mp(r, res);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 36U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }
    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[36 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;
    int expBits = mp_count_bits(exp);

    if (mp_count_bits(base) > 2048) {
        err = MP_READ_E;
    }
    else if (expBits > 2048) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 2048) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 36 * 4, NULL, DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 36 * 2;
        m = e + 36;
        r = b;

        sp_2048_from_mp(b, 36, base);
        sp_2048_from_mp(e, 36, exp);
        sp_2048_from_mp(m, 36, mod);

        err = sp_2048_mod_exp_36(r, b, e, expBits, m, 0);
    }

    if (err == MP_OKAY) {
        err = sp_2048_to_mp(r, res);
    }


#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 36U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }

    return err;
#endif
}

#ifdef WOLFSSL_HAVE_SP_DH

#ifdef HAVE_FFDHE_2048
SP_NOINLINE static void sp_2048_lshift_36(sp_digit* r, const sp_digit* a,
        byte n)
{
    sp_int_digit s;
    sp_int_digit t;

    s = (sp_int_digit)a[35];
    r[36] = s >> (57U - n);
    s = (sp_int_digit)(a[35]); t = (sp_int_digit)(a[34]);
    r[35] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[34]); t = (sp_int_digit)(a[33]);
    r[34] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[33]); t = (sp_int_digit)(a[32]);
    r[33] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[32]); t = (sp_int_digit)(a[31]);
    r[32] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[31]); t = (sp_int_digit)(a[30]);
    r[31] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[30]); t = (sp_int_digit)(a[29]);
    r[30] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[29]); t = (sp_int_digit)(a[28]);
    r[29] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[28]); t = (sp_int_digit)(a[27]);
    r[28] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[27]); t = (sp_int_digit)(a[26]);
    r[27] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[26]); t = (sp_int_digit)(a[25]);
    r[26] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[25]); t = (sp_int_digit)(a[24]);
    r[25] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[24]); t = (sp_int_digit)(a[23]);
    r[24] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[23]); t = (sp_int_digit)(a[22]);
    r[23] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[22]); t = (sp_int_digit)(a[21]);
    r[22] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[21]); t = (sp_int_digit)(a[20]);
    r[21] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[20]); t = (sp_int_digit)(a[19]);
    r[20] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[19]); t = (sp_int_digit)(a[18]);
    r[19] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[18]); t = (sp_int_digit)(a[17]);
    r[18] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[17]); t = (sp_int_digit)(a[16]);
    r[17] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[16]); t = (sp_int_digit)(a[15]);
    r[16] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[15]); t = (sp_int_digit)(a[14]);
    r[15] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[14]); t = (sp_int_digit)(a[13]);
    r[14] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[13]); t = (sp_int_digit)(a[12]);
    r[13] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[12]); t = (sp_int_digit)(a[11]);
    r[12] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[11]); t = (sp_int_digit)(a[10]);
    r[11] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[10]); t = (sp_int_digit)(a[9]);
    r[10] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[9]); t = (sp_int_digit)(a[8]);
    r[9] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[8]); t = (sp_int_digit)(a[7]);
    r[8] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[7]); t = (sp_int_digit)(a[6]);
    r[7] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[6]); t = (sp_int_digit)(a[5]);
    r[6] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[5]); t = (sp_int_digit)(a[4]);
    r[5] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[4]); t = (sp_int_digit)(a[3]);
    r[4] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[3]); t = (sp_int_digit)(a[2]);
    r[3] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[2]); t = (sp_int_digit)(a[1]);
    r[2] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[1]); t = (sp_int_digit)(a[0]);
    r[1] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    r[0] = (a[0] << n) & 0x1ffffffffffffffL;
}

/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
 *
 * r     A single precision number that is the result of the operation.
 * e     A single precision number that is the exponent.
 * bits  The number of bits in the exponent.
 * m     A single precision number that is the modulus.
 * returns  0 on success.
 * returns  MEMORY_E on dynamic memory allocation failure.
 * returns  MP_VAL when base is even.
 */
static int sp_2048_mod_exp_2_36(sp_digit* r, const sp_digit* e, int bits, const sp_digit* m)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[109];
#endif
    sp_digit* norm = NULL;
    sp_digit* tmp = NULL;
    sp_digit mp = 1;
    sp_digit n;
    sp_digit o;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 109, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        tmp  = td + 72;
        XMEMSET(td, 0, sizeof(sp_digit) * 109);

        sp_2048_mont_setup(m, &mp);
        sp_2048_mont_norm_36(norm, m);

        bits = ((bits + 4) / 5) * 5;
        i = ((bits + 56) / 57) - 1;
        c = bits % 57;
        if (c == 0) {
            c = 57;
        }
        if (i < 36) {
            n = e[i--] << (64 - c);
        }
        else {
            n = 0;
            i--;
        }
        if (c < 5) {
            n |= e[i--] << (7 - c);
            c += 57;
        }
        y = (int)((n >> 59) & 0x1f);
        n <<= 5;
        c -= 5;
        sp_2048_lshift_36(r, norm, (byte)y);
        while ((i >= 0) || (c >= 5)) {
            if (c >= 5) {
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c -= 5;
            }
            else if (c == 0) {
                n = e[i--] << 7;
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c = 52;
            }
            else {
                y = (byte)((n >> 59) & 0x1f);
                n = e[i--] << 7;
                c = 5 - c;
                y |= (byte)((n >> (64 - c)) & ((1 << c) - 1));
                n <<= c;
                c = 57 - c;
            }

            sp_2048_mont_sqr_36(r, r, m, mp);
            sp_2048_mont_sqr_36(r, r, m, mp);
            sp_2048_mont_sqr_36(r, r, m, mp);
            sp_2048_mont_sqr_36(r, r, m, mp);
            sp_2048_mont_sqr_36(r, r, m, mp);

            sp_2048_lshift_36(r, r, (byte)y);
            sp_2048_mul_d_36(tmp, norm, (r[36] << 4) + (r[35] >> 53));
            r[36] = 0;
            r[35] &= 0x1fffffffffffffL;
            (void)sp_2048_add_36(r, r, tmp);
            sp_2048_norm_36(r);
            o = sp_2048_cmp_36(r, m);
            sp_2048_cond_sub_36(r, r, m, ~(o >> 63));
        }

        sp_2048_mont_reduce_36(r, m, mp);
        n = sp_2048_cmp_36(r, m);
        sp_2048_cond_sub_36(r, r, m, ~(n >> 63));
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
}

#endif /* HAVE_FFDHE_2048 */

/* Perform the modular exponentiation for Diffie-Hellman.
 *
 * base     Base.
 * exp      Array of bytes that is the exponent.
 * expLen   Length of data, in bytes, in exponent.
 * mod      Modulus.
 * out      Buffer to hold big-endian bytes of exponentiation result.
 *          Must be at least 256 bytes long.
 * outLen   Length, in bytes, of exponentiation result.
 * returns 0 on success, MP_READ_E if there are too many bytes in an array
 * and MEMORY_E if memory allocation fails.
 */
int sp_DhExp_2048(const mp_int* base, const byte* exp, word32 expLen,
    const mp_int* mod, byte* out, word32* outLen)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[36 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    word32 i;
    int err = MP_OKAY;

    if (mp_count_bits(base) > 2048) {
        err = MP_READ_E;
    }
    else if (expLen > 256U) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 2048) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 36 * 4, NULL,
            DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 36 * 2;
        m = e + 36;
        r = b;

        sp_2048_from_mp(b, 36, base);
        sp_2048_from_bin(e, 36, exp, expLen);
        sp_2048_from_mp(m, 36, mod);

    #ifdef HAVE_FFDHE_2048
        if (base->used == 1 && base->dp[0] == 2U &&
                (m[35] >> 21) == 0xffffffffL) {
            err = sp_2048_mod_exp_2_36(r, e, expLen * 8U, m);
        }
        else {
    #endif
            err = sp_2048_mod_exp_36(r, b, e, expLen * 8U, m, 0);
    #ifdef HAVE_FFDHE_2048
        }
    #endif
    }

    if (err == MP_OKAY) {
        sp_2048_to_bin_36(r, out);
        *outLen = 256;
        for (i=0; i<256U && out[i] == 0U; i++) {
            /* Search for first non-zero. */
        }
        *outLen -= i;
        XMEMMOVE(out, out + i, *outLen);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 36U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }

    return err;
}
#endif /* WOLFSSL_HAVE_SP_DH */

/* Perform the modular exponentiation for Diffie-Hellman.
 *
 * base  Base. MP integer.
 * exp   Exponent. MP integer.
 * mod   Modulus. MP integer.
 * res   Result. MP integer.
 * returns 0 on success, MP_READ_E if there are too many bytes in an array
 * and MEMORY_E if memory allocation fails.
 */
int sp_ModExp_1024(const mp_int* base, const mp_int* exp, const mp_int* mod,
    mp_int* res)
{
#ifdef WOLFSSL_SP_SMALL
    int err = MP_OKAY;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[18 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int expBits = mp_count_bits(exp);

    if (mp_count_bits(base) > 1024) {
        err = MP_READ_E;
    }
    else if (expBits > 1024) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 1024) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 18 * 4, NULL,
            DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 18 * 2;
        m = e + 18;
        r = b;

        sp_2048_from_mp(b, 18, base);
        sp_2048_from_mp(e, 18, exp);
        sp_2048_from_mp(m, 18, mod);

        err = sp_2048_mod_exp_18(r, b, e, mp_count_bits(exp), m, 0);
    }

    if (err == MP_OKAY) {
        XMEMSET(r + 18, 0, sizeof(*r) * 18U);
        err = sp_2048_to_mp(r, res);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 36U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }
    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[18 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;
    int expBits = mp_count_bits(exp);

    if (mp_count_bits(base) > 1024) {
        err = MP_READ_E;
    }
    else if (expBits > 1024) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 1024) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 18 * 4, NULL, DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 18 * 2;
        m = e + 18;
        r = b;

        sp_2048_from_mp(b, 18, base);
        sp_2048_from_mp(e, 18, exp);
        sp_2048_from_mp(m, 18, mod);

        err = sp_2048_mod_exp_18(r, b, e, expBits, m, 0);
    }

    if (err == MP_OKAY) {
        XMEMSET(r + 18, 0, sizeof(*r) * 18U);
        err = sp_2048_to_mp(r, res);
    }


#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 36U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }

    return err;
#endif
}

#endif /* WOLFSSL_HAVE_SP_DH | (WOLFSSL_HAVE_SP_RSA & !WOLFSSL_RSA_PUBLIC_ONLY) */

#endif /* WOLFSSL_SP_SMALL */
#endif /* !WOLFSSL_SP_NO_2048 */

#ifndef WOLFSSL_SP_NO_3072
#ifdef WOLFSSL_SP_SMALL
/* Read big endian unsigned byte array into r.
 *
 * r  A single precision integer.
 * size  Maximum number of bytes to convert
 * a  Byte array.
 * n  Number of bytes in array to read.
 */
static void sp_3072_from_bin(sp_digit* r, int size, const byte* a, int n)
{
    int i;
    int j = 0;
    word32 s = 0;

    r[0] = 0;
    for (i = n-1; i >= 0; i--) {
        r[j] |= (((sp_digit)a[i]) << s);
        if (s >= 52U) {
            r[j] &= 0xfffffffffffffffL;
            s = 60U - s;
            if (j + 1 >= size) {
                break;
            }
            r[++j] = (sp_digit)a[i] >> s;
            s = 8U - s;
        }
        else {
            s += 8U;
        }
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
}

/* Convert an mp_int to an array of sp_digit.
 *
 * r  A single precision integer.
 * size  Maximum number of bytes to convert
 * a  A multi-precision integer.
 */
static void sp_3072_from_mp(sp_digit* r, int size, const mp_int* a)
{
#if DIGIT_BIT == 60
    int i;
    sp_digit j = (sp_digit)0 - (sp_digit)a->used;
    int o = 0;

    for (i = 0; i < size; i++) {
        sp_digit mask = (sp_digit)0 - (j >> 59);
        r[i] = a->dp[o] & mask;
        j++;
        o += (int)(j >> 59);
    }
#elif DIGIT_BIT > 60
    unsigned int i;
    int j = 0;
    word32 s = 0;

    r[0] = 0;
    for (i = 0; i < (unsigned int)a->used && j < size; i++) {
        r[j] |= ((sp_digit)a->dp[i] << s);
        r[j] &= 0xfffffffffffffffL;
        s = 60U - s;
        if (j + 1 >= size) {
            break;
        }
        /* lint allow cast of mismatch word32 and mp_digit */
        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
        while ((s + 60U) <= (word32)DIGIT_BIT) {
            s += 60U;
            r[j] &= 0xfffffffffffffffL;
            if (j + 1 >= size) {
                break;
            }
            if (s < (word32)DIGIT_BIT) {
                /* lint allow cast of mismatch word32 and mp_digit */
                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
            }
            else {
                r[++j] = (sp_digit)0;
            }
        }
        s = (word32)DIGIT_BIT - s;
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
#else
    unsigned int i;
    int j = 0;
    int s = 0;

    r[0] = 0;
    for (i = 0; i < (unsigned int)a->used && j < size; i++) {
        r[j] |= ((sp_digit)a->dp[i]) << s;
        if (s + DIGIT_BIT >= 60) {
            r[j] &= 0xfffffffffffffffL;
            if (j + 1 >= size) {
                break;
            }
            s = 60 - s;
            if (s == DIGIT_BIT) {
                r[++j] = 0;
                s = 0;
            }
            else {
                r[++j] = a->dp[i] >> s;
                s = DIGIT_BIT - s;
            }
        }
        else {
            s += DIGIT_BIT;
        }
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
#endif
}

/* Write r as big endian to byte array.
 * Fixed length number of bytes written: 384
 *
 * r  A single precision integer.
 * a  Byte array.
 */
static void sp_3072_to_bin_52(sp_digit* r, byte* a)
{
    int i;
    int j;
    int s = 0;
    int b;

    for (i=0; i<51; i++) {
        r[i+1] += r[i] >> 60;
        r[i] &= 0xfffffffffffffffL;
    }
    j = 3079 / 8 - 1;
    a[j] = 0;
    for (i=0; i<52 && j>=0; i++) {
        b = 0;
        /* lint allow cast of mismatch sp_digit and int */
        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
        b += 8 - s;
        if (j < 0) {
            break;
        }
        while (b < 60) {
            a[j--] = (byte)(r[i] >> b);
            b += 8;
            if (j < 0) {
                break;
            }
        }
        s = 8 - (b - 60);
        if (j >= 0) {
            a[j] = 0;
        }
        if (s != 0) {
            j++;
        }
    }
}

#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(WOLFSSL_HAVE_SP_DH)
/* Normalize the values in each word to 60 bits.
 *
 * a  Array of sp_digit to normalize.
 */
static void sp_3072_norm_26(sp_digit* a)
{
    int i;
    for (i = 0; i < 25; i++) {
        a[i+1] += a[i] >> 60;
        a[i] &= 0xfffffffffffffffL;
    }
}

#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
/* Normalize the values in each word to 60 bits.
 *
 * a  Array of sp_digit to normalize.
 */
static void sp_3072_norm_52(sp_digit* a)
{
    int i;
    for (i = 0; i < 51; i++) {
        a[i+1] += a[i] >> 60;
        a[i] &= 0xfffffffffffffffL;
    }
}

/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_3072_mul_52(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    int i;
    int imax;
    int k;
    sp_uint128 c;
    sp_uint128 lo;

    c = ((sp_uint128)a[51]) * b[51];
    r[103] = (sp_digit)(c >> 60);
    c &= 0xfffffffffffffffL;
    for (k = 101; k >= 0; k--) {
        if (k >= 52) {
            i = k - 51;
            imax = 51;
        }
        else {
            i = 0;
            imax = k;
        }
        lo = 0;
        for (; i <= imax; i++) {
            lo += ((sp_uint128)a[i]) * b[k - i];
        }
        c += lo >> 60;
        r[k + 2] += (sp_digit)(c >> 60);
        r[k + 1]  = (sp_digit)(c & 0xfffffffffffffffL);
        c = lo & 0xfffffffffffffffL;
    }
    r[0] = (sp_digit)c;
}

/* Square a and put result in r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_3072_sqr_52(sp_digit* r, const sp_digit* a)
{
    int i;
    int imax;
    int k;
    sp_uint128 c;
    sp_uint128 t;

    c = ((sp_uint128)a[51]) * a[51];
    r[103] = (sp_digit)(c >> 60);
    c = (c & 0xfffffffffffffffL) << 60;
    for (k = 101; k >= 0; k--) {
        i = (k + 1) / 2;
        if ((k & 1) == 0) {
           c += ((sp_uint128)a[i]) * a[i];
           i++;
        }
        if (k < 51) {
            imax = k;
        }
        else {
            imax = 51;
        }
        t = 0;
        for (; i <= imax; i++) {
            t += ((sp_uint128)a[i]) * a[k - i];
        }
        c += t * 2;

        r[k + 2] += (sp_digit) (c >> 120);
        r[k + 1]  = (sp_digit)((c >> 60) & 0xfffffffffffffffL);
        c = (c & 0xfffffffffffffffL) << 60;
    }
    r[0] = (sp_digit)(c >> 60);
}

/* Calculate the bottom digit of -1/a mod 2^n.
 *
 * a    A single precision number.
 * rho  Bottom word of inverse.
 */
static void sp_3072_mont_setup(const sp_digit* a, sp_digit* rho)
{
    sp_digit x;
    sp_digit b;

    b = a[0];
    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**64 */
    x &= 0xfffffffffffffffL;

    /* rho = -1/m mod b */
    *rho = ((sp_digit)1 << 60) - x;
}

/* Multiply a by scalar b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_3072_mul_d_52(sp_digit* r, const sp_digit* a,
    sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t = 0;
    int i;

    for (i = 0; i < 52; i++) {
        t += tb * a[i];
        r[i] = (sp_digit)(t & 0xfffffffffffffffL);
        t >>= 60;
    }
    r[52] = (sp_digit)t;
}

#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(WOLFSSL_HAVE_SP_DH)
/* Sub b from a into r. (r = a - b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_3072_sub_26(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 26; i++) {
        r[i] = a[i] - b[i];
    }

    return 0;
}

/* r = 2^n mod m where n is the number of bits to reduce by.
 * Given m must be 3072 bits, just need to subtract.
 *
 * r  A single precision number.
 * m  A single precision number.
 */
static void sp_3072_mont_norm_26(sp_digit* r, const sp_digit* m)
{
    /* Set r = 2^n - 1. */
    int i;

    for (i=0; i<25; i++) {
        r[i] = 0xfffffffffffffffL;
    }
    r[25] = 0xfffffffffL;

    /* r = (2^n - 1) mod n */
    (void)sp_3072_sub_26(r, r, m);

    /* Add one so r = 2^n mod m */
    r[0] += 1;
}

/* Compare a with b in constant time.
 *
 * a  A single precision integer.
 * b  A single precision integer.
 * return -ve, 0 or +ve if a is less than, equal to or greater than b
 * respectively.
 */
static sp_digit sp_3072_cmp_26(const sp_digit* a, const sp_digit* b)
{
    sp_digit r = 0;
    int i;

    for (i=25; i>=0; i--) {
        r |= (a[i] - b[i]) & ~(((sp_digit)0 - r) >> 59);
    }

    return r;
}

/* Conditionally subtract b from a using the mask m.
 * m is -1 to subtract and 0 when not.
 *
 * r  A single precision number representing condition subtract result.
 * a  A single precision number to subtract from.
 * b  A single precision number to subtract.
 * m  Mask value to apply.
 */
static void sp_3072_cond_sub_26(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 26; i++) {
        r[i] = a[i] - (b[i] & m);
    }
}

/* Mul a by scalar b and add into r. (r += a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_3072_mul_add_26(sp_digit* r, const sp_digit* a,
        const sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t[4];
    int i;

    t[0] = 0;
    for (i = 0; i < 24; i += 4) {
        t[0] += (tb * a[i+0]) + r[i+0];
        t[1]  = (tb * a[i+1]) + r[i+1];
        t[2]  = (tb * a[i+2]) + r[i+2];
        t[3]  = (tb * a[i+3]) + r[i+3];
        r[i+0] = t[0] & 0xfffffffffffffffL;
        t[1] += t[0] >> 60;
        r[i+1] = t[1] & 0xfffffffffffffffL;
        t[2] += t[1] >> 60;
        r[i+2] = t[2] & 0xfffffffffffffffL;
        t[3] += t[2] >> 60;
        r[i+3] = t[3] & 0xfffffffffffffffL;
        t[0]  = t[3] >> 60;
    }
    t[0] += (tb * a[24]) + r[24];
    t[1]  = (tb * a[25]) + r[25];
    r[24] = t[0] & 0xfffffffffffffffL;
    t[1] += t[0] >> 60;
    r[25] = t[1] & 0xfffffffffffffffL;
    r[26] +=  (sp_digit)(t[1] >> 60);
}

/* Shift the result in the high 1536 bits down to the bottom.
 *
 * r  A single precision number.
 * a  A single precision number.
 */
static void sp_3072_mont_shift_26(sp_digit* r, const sp_digit* a)
{
    int i;
    sp_int128 n = a[25] >> 36;
    n += ((sp_int128)a[26]) << 24;

    for (i = 0; i < 25; i++) {
        r[i] = n & 0xfffffffffffffffL;
        n >>= 60;
        n += ((sp_int128)a[27 + i]) << 24;
    }
    r[25] = (sp_digit)n;
    XMEMSET(&r[26], 0, sizeof(*r) * 26U);
}

/* Reduce the number back to 3072 bits using Montgomery reduction.
 *
 * a   A single precision number to reduce in place.
 * m   The single precision number representing the modulus.
 * mp  The digit representing the negative inverse of m mod 2^n.
 */
static void sp_3072_mont_reduce_26(sp_digit* a, const sp_digit* m, sp_digit mp)
{
    int i;
    sp_digit mu;
    sp_digit over;

    sp_3072_norm_26(a + 26);

    for (i=0; i<25; i++) {
        mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0xfffffffffffffffL;
        sp_3072_mul_add_26(a+i, m, mu);
        a[i+1] += a[i] >> 60;
    }
    mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0xfffffffffL;
    sp_3072_mul_add_26(a+i, m, mu);
    a[i+1] += a[i] >> 60;
    a[i] &= 0xfffffffffffffffL;
    sp_3072_mont_shift_26(a, a);
    over = a[25] - m[25];
    sp_3072_cond_sub_26(a, a, m, ~((over - 1) >> 63));
    sp_3072_norm_26(a);
}

/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_3072_mul_26(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    int i;
    int imax;
    int k;
    sp_uint128 c;
    sp_uint128 lo;

    c = ((sp_uint128)a[25]) * b[25];
    r[51] = (sp_digit)(c >> 60);
    c &= 0xfffffffffffffffL;
    for (k = 49; k >= 0; k--) {
        if (k >= 26) {
            i = k - 25;
            imax = 25;
        }
        else {
            i = 0;
            imax = k;
        }
        lo = 0;
        for (; i <= imax; i++) {
            lo += ((sp_uint128)a[i]) * b[k - i];
        }
        c += lo >> 60;
        r[k + 2] += (sp_digit)(c >> 60);
        r[k + 1]  = (sp_digit)(c & 0xfffffffffffffffL);
        c = lo & 0xfffffffffffffffL;
    }
    r[0] = (sp_digit)c;
}

/* Multiply two Montgomery form numbers mod the modulus (prime).
 * (r = a * b mod m)
 *
 * r   Result of multiplication.
 * a   First number to multiply in Montgomery form.
 * b   Second number to multiply in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_3072_mont_mul_26(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit* m, sp_digit mp)
{
    sp_3072_mul_26(r, a, b);
    sp_3072_mont_reduce_26(r, m, mp);
}

/* Square a and put result in r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_3072_sqr_26(sp_digit* r, const sp_digit* a)
{
    int i;
    int imax;
    int k;
    sp_uint128 c;
    sp_uint128 t;

    c = ((sp_uint128)a[25]) * a[25];
    r[51] = (sp_digit)(c >> 60);
    c = (c & 0xfffffffffffffffL) << 60;
    for (k = 49; k >= 0; k--) {
        i = (k + 1) / 2;
        if ((k & 1) == 0) {
           c += ((sp_uint128)a[i]) * a[i];
           i++;
        }
        if (k < 25) {
            imax = k;
        }
        else {
            imax = 25;
        }
        t = 0;
        for (; i <= imax; i++) {
            t += ((sp_uint128)a[i]) * a[k - i];
        }
        c += t * 2;

        r[k + 2] += (sp_digit) (c >> 120);
        r[k + 1]  = (sp_digit)((c >> 60) & 0xfffffffffffffffL);
        c = (c & 0xfffffffffffffffL) << 60;
    }
    r[0] = (sp_digit)(c >> 60);
}

/* Square the Montgomery form number. (r = a * a mod m)
 *
 * r   Result of squaring.
 * a   Number to square in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_3072_mont_sqr_26(sp_digit* r, const sp_digit* a,
        const sp_digit* m, sp_digit mp)
{
    sp_3072_sqr_26(r, a);
    sp_3072_mont_reduce_26(r, m, mp);
}

/* Multiply a by scalar b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_3072_mul_d_26(sp_digit* r, const sp_digit* a,
    sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t = 0;
    int i;

    for (i = 0; i < 26; i++) {
        t += tb * a[i];
        r[i] = (sp_digit)(t & 0xfffffffffffffffL);
        t >>= 60;
    }
    r[26] = (sp_digit)t;
}

#ifdef WOLFSSL_SP_SMALL
/* Conditionally add a and b using the mask m.
 * m is -1 to add and 0 when not.
 *
 * r  A single precision number representing conditional add result.
 * a  A single precision number to add with.
 * b  A single precision number to add.
 * m  Mask value to apply.
 */
static void sp_3072_cond_add_26(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 26; i++) {
        r[i] = a[i] + (b[i] & m);
    }
}
#endif /* WOLFSSL_SP_SMALL */

/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_3072_add_26(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 26; i++) {
        r[i] = a[i] + b[i];
    }

    return 0;
}

SP_NOINLINE static void sp_3072_rshift_26(sp_digit* r, const sp_digit* a,
        byte n)
{
    int i;

    for (i=0; i<25; i++) {
        r[i] = ((a[i] >> n) | (a[i + 1] << (60 - n))) & 0xfffffffffffffffL;
    }
    r[25] = a[25] >> n;
}

static WC_INLINE sp_digit sp_3072_div_word_26(sp_digit d1, sp_digit d0,
    sp_digit div)
{
#ifdef SP_USE_DIVTI3
    sp_int128 d = ((sp_int128)d1 << 60) + d0;

    return d / div;
#elif defined(__x86_64__) || defined(__i386__)
    sp_int128 d = ((sp_int128)d1 << 60) + d0;
    sp_uint64 lo = (sp_uint64)d;
    sp_digit hi = (sp_digit)(d >> 64);

    __asm__ __volatile__ (
        "idiv %2"
        : "+a" (lo)
        : "d" (hi), "r" (div)
        : "cc"
    );

    return (sp_digit)lo;
#elif !defined(__aarch64__) &&  !defined(SP_DIV_WORD_USE_DIV)
    sp_int128 d = ((sp_int128)d1 << 60) + d0;
    sp_digit dv = (div >> 1) + 1;
    sp_digit t1 = (sp_digit)(d >> 60);
    sp_digit t0 = (sp_digit)(d & 0xfffffffffffffffL);
    sp_digit t2;
    sp_digit sign;
    sp_digit r;
    int i;
    sp_int128 m;

    r = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
    t1 -= dv & (0 - r);
    for (i = 58; i >= 1; i--) {
        t1 += t1 + (((sp_uint64)t0 >> 59) & 1);
        t0 <<= 1;
        t2 = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
        r += r + t2;
        t1 -= dv & (0 - t2);
        t1 += t2;
    }
    r += r + 1;

    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 60);
    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 120) - (sp_digit)(d >> 120);

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;
   return r;
#else
    sp_int128 d = ((sp_int128)d1 << 60) + d0;
    sp_digit r = 0;
    sp_digit t;
    sp_digit dv = (div >> 29) + 1;

    t = (sp_digit)(d >> 58);
    t = (t / dv) << 29;
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)(d >> 27);
    t = t / (dv << 2);
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)d;
    t = t / div;
    r += t;
    d -= (sp_int128)t * div;
    return r;
#endif
}
static WC_INLINE sp_digit sp_3072_word_div_word_26(sp_digit d, sp_digit div)
{
#if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__) || \
    defined(SP_DIV_WORD_USE_DIV)
    return d / div;
#else
    return (sp_digit)((sp_uint64)(div - d) >> 63);
#endif
}
/* Divide d in a and put remainder into r (m*d + r = a)
 * m is not calculated as it is not needed at this time.
 *
 * Full implementation.
 *
 * a  Number to be divided.
 * d  Number to divide with.
 * m  Multiplier result.
 * r  Remainder from the division.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_3072_div_26(const sp_digit* a, const sp_digit* d,
        const sp_digit* m, sp_digit* r)
{
    int i;
#ifndef WOLFSSL_SP_DIV_64
#endif
    sp_digit dv;
    sp_digit r1;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* t1 = NULL;
#else
    sp_digit t1[4 * 26 + 3];
#endif
    sp_digit* t2 = NULL;
    sp_digit* sd = NULL;
    int err = MP_OKAY;

    (void)m;

#ifdef WOLFSSL_SP_SMALL_STACK
    t1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * (4 * 26 + 3), NULL,
                                                       DYNAMIC_TYPE_TMP_BUFFER);
    if (t1 == NULL)
        err = MEMORY_E;
#endif

    (void)m;

    if (err == MP_OKAY) {
        t2 = t1 + 52 + 1;
        sd = t2 + 26 + 1;

        sp_3072_mul_d_26(sd, d, (sp_digit)1 << 24);
        sp_3072_mul_d_52(t1, a, (sp_digit)1 << 24);
        dv = sd[25];
        t1[26 + 26] += t1[26 + 26 - 1] >> 60;
        t1[26 + 26 - 1] &= 0xfffffffffffffffL;
        for (i=26; i>=0; i--) {
            r1 = sp_3072_div_word_26(t1[26 + i], t1[26 + i - 1], dv);

            sp_3072_mul_d_26(t2, sd, r1);
            (void)sp_3072_sub_26(&t1[i], &t1[i], t2);
            sp_3072_norm_26(&t1[i]);
            t1[26 + i] -= t2[26];
            t1[26 + i] += t1[26 + i - 1] >> 60;
            t1[26 + i - 1] &= 0xfffffffffffffffL;
            r1 = sp_3072_div_word_26(-t1[26 + i], -t1[26 + i - 1], dv);
            r1 -= t1[26 + i];
            sp_3072_mul_d_26(t2, sd, r1);
            (void)sp_3072_add_26(&t1[i], &t1[i], t2);
            t1[26 + i] += t1[26 + i - 1] >> 60;
            t1[26 + i - 1] &= 0xfffffffffffffffL;
        }
        t1[26 - 1] += t1[26 - 2] >> 60;
        t1[26 - 2] &= 0xfffffffffffffffL;
        r1 = sp_3072_word_div_word_26(t1[26 - 1], dv);

        sp_3072_mul_d_26(t2, sd, r1);
        sp_3072_sub_26(t1, t1, t2);
        XMEMCPY(r, t1, sizeof(*r) * 52U);
        for (i=0; i<25; i++) {
            r[i+1] += r[i] >> 60;
            r[i] &= 0xfffffffffffffffL;
        }
        sp_3072_cond_add_26(r, r, sd, r[25] >> 63);

        sp_3072_norm_26(r);
        sp_3072_rshift_26(r, r, 24);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t1 != NULL)
        XFREE(t1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
}

/* Reduce a modulo m into r. (r = a mod m)
 *
 * r  A single precision number that is the reduced result.
 * a  A single precision number that is to be reduced.
 * m  A single precision number that is the modulus to reduce with.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_3072_mod_26(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    return sp_3072_div_26(a, m, NULL, r);
}

/* Modular exponentiate a to the e mod m. (r = a^e mod m)
 *
 * r     A single precision number that is the result of the operation.
 * a     A single precision number being exponentiated.
 * e     A single precision number that is the exponent.
 * bits  The number of bits in the exponent.
 * m     A single precision number that is the modulus.
 * returns  0 on success.
 * returns  MEMORY_E on dynamic memory allocation failure.
 * returns  MP_VAL when base is even or exponent is 0.
 */
static int sp_3072_mod_exp_26(sp_digit* r, const sp_digit* a, const sp_digit* e,
    int bits, const sp_digit* m, int reduceA)
{
#if defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_FAST_MODEXP)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 52];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 26 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 26 * 2);
            XMEMSET(t[i], 0, sizeof(sp_digit) * 26U * 2U);
        }

        sp_3072_mont_setup(m, &mp);
        sp_3072_mont_norm_26(norm, m);

        if (reduceA != 0) {
            err = sp_3072_mod_26(t[1], a, m);
        }
        else {
            XMEMCPY(t[1], a, sizeof(sp_digit) * 26U);
        }
    }
    if (err == MP_OKAY) {
        sp_3072_mul_26(t[1], t[1], norm);
        err = sp_3072_mod_26(t[1], t[1], m);
    }

    if (err == MP_OKAY) {
        i = bits / 60;
        c = bits % 60;
        n = e[i--] << (60 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 60;
            }

            y = (int)((n >> 59) & 1);
            n <<= 1;

            sp_3072_mont_mul_26(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 26 * 2);
            sp_3072_mont_sqr_26(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 26 * 2);
        }

        sp_3072_mont_reduce_26(t[0], m, mp);
        n = sp_3072_cmp_26(t[0], m);
        sp_3072_cond_sub_26(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 26 * 2);

    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#elif !defined(WC_NO_CACHE_RESISTANT)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 52];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 26 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 26 * 2);
        }

        sp_3072_mont_setup(m, &mp);
        sp_3072_mont_norm_26(norm, m);

        if (reduceA != 0) {
            err = sp_3072_mod_26(t[1], a, m);
            if (err == MP_OKAY) {
                sp_3072_mul_26(t[1], t[1], norm);
                err = sp_3072_mod_26(t[1], t[1], m);
            }
        }
        else {
            sp_3072_mul_26(t[1], a, norm);
            err = sp_3072_mod_26(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        i = bits / 60;
        c = bits % 60;
        n = e[i--] << (60 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 60;
            }

            y = (int)((n >> 59) & 1);
            n <<= 1;

            sp_3072_mont_mul_26(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 26 * 2);
            sp_3072_mont_sqr_26(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 26 * 2);
        }

        sp_3072_mont_reduce_26(t[0], m, mp);
        n = sp_3072_cmp_26(t[0], m);
        sp_3072_cond_sub_26(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 26 * 2);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[(32 * 52) + 52];
#endif
    sp_digit* t[32];
    sp_digit* rt = NULL;
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * ((32 * 52) + 52), NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<32; i++)
            t[i] = td + i * 52;
        rt = td + 1664;

        sp_3072_mont_setup(m, &mp);
        sp_3072_mont_norm_26(norm, m);

        if (reduceA != 0) {
            err = sp_3072_mod_26(t[1], a, m);
            if (err == MP_OKAY) {
                sp_3072_mul_26(t[1], t[1], norm);
                err = sp_3072_mod_26(t[1], t[1], m);
            }
        }
        else {
            sp_3072_mul_26(t[1], a, norm);
            err = sp_3072_mod_26(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        sp_3072_mont_sqr_26(t[ 2], t[ 1], m, mp);
        sp_3072_mont_mul_26(t[ 3], t[ 2], t[ 1], m, mp);
        sp_3072_mont_sqr_26(t[ 4], t[ 2], m, mp);
        sp_3072_mont_mul_26(t[ 5], t[ 3], t[ 2], m, mp);
        sp_3072_mont_sqr_26(t[ 6], t[ 3], m, mp);
        sp_3072_mont_mul_26(t[ 7], t[ 4], t[ 3], m, mp);
        sp_3072_mont_sqr_26(t[ 8], t[ 4], m, mp);
        sp_3072_mont_mul_26(t[ 9], t[ 5], t[ 4], m, mp);
        sp_3072_mont_sqr_26(t[10], t[ 5], m, mp);
        sp_3072_mont_mul_26(t[11], t[ 6], t[ 5], m, mp);
        sp_3072_mont_sqr_26(t[12], t[ 6], m, mp);
        sp_3072_mont_mul_26(t[13], t[ 7], t[ 6], m, mp);
        sp_3072_mont_sqr_26(t[14], t[ 7], m, mp);
        sp_3072_mont_mul_26(t[15], t[ 8], t[ 7], m, mp);
        sp_3072_mont_sqr_26(t[16], t[ 8], m, mp);
        sp_3072_mont_mul_26(t[17], t[ 9], t[ 8], m, mp);
        sp_3072_mont_sqr_26(t[18], t[ 9], m, mp);
        sp_3072_mont_mul_26(t[19], t[10], t[ 9], m, mp);
        sp_3072_mont_sqr_26(t[20], t[10], m, mp);
        sp_3072_mont_mul_26(t[21], t[11], t[10], m, mp);
        sp_3072_mont_sqr_26(t[22], t[11], m, mp);
        sp_3072_mont_mul_26(t[23], t[12], t[11], m, mp);
        sp_3072_mont_sqr_26(t[24], t[12], m, mp);
        sp_3072_mont_mul_26(t[25], t[13], t[12], m, mp);
        sp_3072_mont_sqr_26(t[26], t[13], m, mp);
        sp_3072_mont_mul_26(t[27], t[14], t[13], m, mp);
        sp_3072_mont_sqr_26(t[28], t[14], m, mp);
        sp_3072_mont_mul_26(t[29], t[15], t[14], m, mp);
        sp_3072_mont_sqr_26(t[30], t[15], m, mp);
        sp_3072_mont_mul_26(t[31], t[16], t[15], m, mp);

        bits = ((bits + 4) / 5) * 5;
        i = ((bits + 59) / 60) - 1;
        c = bits % 60;
        if (c == 0) {
            c = 60;
        }
        if (i < 26) {
            n = e[i--] << (64 - c);
        }
        else {
            n = 0;
            i--;
        }
        if (c < 5) {
            n |= e[i--] << (4 - c);
            c += 60;
        }
        y = (int)((n >> 59) & 0x1f);
        n <<= 5;
        c -= 5;
        XMEMCPY(rt, t[y], sizeof(sp_digit) * 52);
        while ((i >= 0) || (c >= 5)) {
            if (c >= 5) {
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c -= 5;
            }
            else if (c == 0) {
                n = e[i--] << 4;
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c = 55;
            }
            else {
                y = (byte)((n >> 59) & 0x1f);
                n = e[i--] << 4;
                c = 5 - c;
                y |= (byte)((n >> (64 - c)) & ((1 << c) - 1));
                n <<= c;
                c = 60 - c;
            }

            sp_3072_mont_sqr_26(rt, rt, m, mp);
            sp_3072_mont_sqr_26(rt, rt, m, mp);
            sp_3072_mont_sqr_26(rt, rt, m, mp);
            sp_3072_mont_sqr_26(rt, rt, m, mp);
            sp_3072_mont_sqr_26(rt, rt, m, mp);

            sp_3072_mont_mul_26(rt, rt, t[y], m, mp);
        }

        sp_3072_mont_reduce_26(rt, m, mp);
        n = sp_3072_cmp_26(rt, m);
        sp_3072_cond_sub_26(rt, rt, m, ~(n >> 63));
        XMEMCPY(r, rt, sizeof(sp_digit) * 52);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#endif
}

#endif /* (WOLFSSL_HAVE_SP_RSA & !WOLFSSL_RSA_PUBLIC_ONLY) | WOLFSSL_HAVE_SP_DH */

/* Sub b from a into r. (r = a - b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_3072_sub_52(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 52; i++) {
        r[i] = a[i] - b[i];
    }

    return 0;
}

/* r = 2^n mod m where n is the number of bits to reduce by.
 * Given m must be 3072 bits, just need to subtract.
 *
 * r  A single precision number.
 * m  A single precision number.
 */
static void sp_3072_mont_norm_52(sp_digit* r, const sp_digit* m)
{
    /* Set r = 2^n - 1. */
    int i;

    for (i=0; i<51; i++) {
        r[i] = 0xfffffffffffffffL;
    }
    r[51] = 0xfffL;

    /* r = (2^n - 1) mod n */
    (void)sp_3072_sub_52(r, r, m);

    /* Add one so r = 2^n mod m */
    r[0] += 1;
}

/* Compare a with b in constant time.
 *
 * a  A single precision integer.
 * b  A single precision integer.
 * return -ve, 0 or +ve if a is less than, equal to or greater than b
 * respectively.
 */
static sp_digit sp_3072_cmp_52(const sp_digit* a, const sp_digit* b)
{
    sp_digit r = 0;
    int i;

    for (i=51; i>=0; i--) {
        r |= (a[i] - b[i]) & ~(((sp_digit)0 - r) >> 59);
    }

    return r;
}

/* Conditionally subtract b from a using the mask m.
 * m is -1 to subtract and 0 when not.
 *
 * r  A single precision number representing condition subtract result.
 * a  A single precision number to subtract from.
 * b  A single precision number to subtract.
 * m  Mask value to apply.
 */
static void sp_3072_cond_sub_52(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 52; i++) {
        r[i] = a[i] - (b[i] & m);
    }
}

/* Mul a by scalar b and add into r. (r += a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_3072_mul_add_52(sp_digit* r, const sp_digit* a,
        const sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t[4];
    int i;

    t[0] = 0;
    for (i = 0; i < 48; i += 4) {
        t[0] += (tb * a[i+0]) + r[i+0];
        t[1]  = (tb * a[i+1]) + r[i+1];
        t[2]  = (tb * a[i+2]) + r[i+2];
        t[3]  = (tb * a[i+3]) + r[i+3];
        r[i+0] = t[0] & 0xfffffffffffffffL;
        t[1] += t[0] >> 60;
        r[i+1] = t[1] & 0xfffffffffffffffL;
        t[2] += t[1] >> 60;
        r[i+2] = t[2] & 0xfffffffffffffffL;
        t[3] += t[2] >> 60;
        r[i+3] = t[3] & 0xfffffffffffffffL;
        t[0]  = t[3] >> 60;
    }
    t[0] += (tb * a[48]) + r[48];
    t[1]  = (tb * a[49]) + r[49];
    t[2]  = (tb * a[50]) + r[50];
    t[3]  = (tb * a[51]) + r[51];
    r[48] = t[0] & 0xfffffffffffffffL;
    t[1] += t[0] >> 60;
    r[49] = t[1] & 0xfffffffffffffffL;
    t[2] += t[1] >> 60;
    r[50] = t[2] & 0xfffffffffffffffL;
    t[3] += t[2] >> 60;
    r[51] = t[3] & 0xfffffffffffffffL;
    r[52] +=  (sp_digit)(t[3] >> 60);
}

/* Shift the result in the high 3072 bits down to the bottom.
 *
 * r  A single precision number.
 * a  A single precision number.
 */
static void sp_3072_mont_shift_52(sp_digit* r, const sp_digit* a)
{
    int i;
    sp_int128 n = a[51] >> 12;
    n += ((sp_int128)a[52]) << 48;

    for (i = 0; i < 51; i++) {
        r[i] = n & 0xfffffffffffffffL;
        n >>= 60;
        n += ((sp_int128)a[53 + i]) << 48;
    }
    r[51] = (sp_digit)n;
    XMEMSET(&r[52], 0, sizeof(*r) * 52U);
}

/* Reduce the number back to 3072 bits using Montgomery reduction.
 *
 * a   A single precision number to reduce in place.
 * m   The single precision number representing the modulus.
 * mp  The digit representing the negative inverse of m mod 2^n.
 */
static void sp_3072_mont_reduce_52(sp_digit* a, const sp_digit* m, sp_digit mp)
{
    int i;
    sp_digit mu;
    sp_digit over;

    sp_3072_norm_52(a + 52);

#ifdef WOLFSSL_SP_DH
    if (mp != 1) {
        for (i=0; i<51; i++) {
            mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0xfffffffffffffffL;
            sp_3072_mul_add_52(a+i, m, mu);
            a[i+1] += a[i] >> 60;
        }
        mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0xfffL;
        sp_3072_mul_add_52(a+i, m, mu);
        a[i+1] += a[i] >> 60;
        a[i] &= 0xfffffffffffffffL;
    }
    else {
        for (i=0; i<51; i++) {
            mu = a[i] & 0xfffffffffffffffL;
            sp_3072_mul_add_52(a+i, m, mu);
            a[i+1] += a[i] >> 60;
        }
        mu = a[i] & 0xfffL;
        sp_3072_mul_add_52(a+i, m, mu);
        a[i+1] += a[i] >> 60;
        a[i] &= 0xfffffffffffffffL;
    }
#else
    for (i=0; i<51; i++) {
        mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0xfffffffffffffffL;
        sp_3072_mul_add_52(a+i, m, mu);
        a[i+1] += a[i] >> 60;
    }
    mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0xfffL;
    sp_3072_mul_add_52(a+i, m, mu);
    a[i+1] += a[i] >> 60;
    a[i] &= 0xfffffffffffffffL;
#endif
    sp_3072_mont_shift_52(a, a);
    over = a[51] - m[51];
    sp_3072_cond_sub_52(a, a, m, ~((over - 1) >> 63));
    sp_3072_norm_52(a);
}

/* Multiply two Montgomery form numbers mod the modulus (prime).
 * (r = a * b mod m)
 *
 * r   Result of multiplication.
 * a   First number to multiply in Montgomery form.
 * b   Second number to multiply in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_3072_mont_mul_52(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit* m, sp_digit mp)
{
    sp_3072_mul_52(r, a, b);
    sp_3072_mont_reduce_52(r, m, mp);
}

/* Square the Montgomery form number. (r = a * a mod m)
 *
 * r   Result of squaring.
 * a   Number to square in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_3072_mont_sqr_52(sp_digit* r, const sp_digit* a,
        const sp_digit* m, sp_digit mp)
{
    sp_3072_sqr_52(r, a);
    sp_3072_mont_reduce_52(r, m, mp);
}

/* Multiply a by scalar b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_3072_mul_d_104(sp_digit* r, const sp_digit* a,
    sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t = 0;
    int i;

    for (i = 0; i < 104; i++) {
        t += tb * a[i];
        r[i] = (sp_digit)(t & 0xfffffffffffffffL);
        t >>= 60;
    }
    r[104] = (sp_digit)t;
}

#ifdef WOLFSSL_SP_SMALL
/* Conditionally add a and b using the mask m.
 * m is -1 to add and 0 when not.
 *
 * r  A single precision number representing conditional add result.
 * a  A single precision number to add with.
 * b  A single precision number to add.
 * m  Mask value to apply.
 */
static void sp_3072_cond_add_52(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 52; i++) {
        r[i] = a[i] + (b[i] & m);
    }
}
#endif /* WOLFSSL_SP_SMALL */

/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_3072_add_52(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 52; i++) {
        r[i] = a[i] + b[i];
    }

    return 0;
}

SP_NOINLINE static void sp_3072_rshift_52(sp_digit* r, const sp_digit* a,
        byte n)
{
    int i;

    for (i=0; i<51; i++) {
        r[i] = ((a[i] >> n) | (a[i + 1] << (60 - n))) & 0xfffffffffffffffL;
    }
    r[51] = a[51] >> n;
}

static WC_INLINE sp_digit sp_3072_div_word_52(sp_digit d1, sp_digit d0,
    sp_digit div)
{
#ifdef SP_USE_DIVTI3
    sp_int128 d = ((sp_int128)d1 << 60) + d0;

    return d / div;
#elif defined(__x86_64__) || defined(__i386__)
    sp_int128 d = ((sp_int128)d1 << 60) + d0;
    sp_uint64 lo = (sp_uint64)d;
    sp_digit hi = (sp_digit)(d >> 64);

    __asm__ __volatile__ (
        "idiv %2"
        : "+a" (lo)
        : "d" (hi), "r" (div)
        : "cc"
    );

    return (sp_digit)lo;
#elif !defined(__aarch64__) &&  !defined(SP_DIV_WORD_USE_DIV)
    sp_int128 d = ((sp_int128)d1 << 60) + d0;
    sp_digit dv = (div >> 1) + 1;
    sp_digit t1 = (sp_digit)(d >> 60);
    sp_digit t0 = (sp_digit)(d & 0xfffffffffffffffL);
    sp_digit t2;
    sp_digit sign;
    sp_digit r;
    int i;
    sp_int128 m;

    r = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
    t1 -= dv & (0 - r);
    for (i = 58; i >= 1; i--) {
        t1 += t1 + (((sp_uint64)t0 >> 59) & 1);
        t0 <<= 1;
        t2 = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
        r += r + t2;
        t1 -= dv & (0 - t2);
        t1 += t2;
    }
    r += r + 1;

    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 60);
    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 120) - (sp_digit)(d >> 120);

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;
   return r;
#else
    sp_int128 d = ((sp_int128)d1 << 60) + d0;
    sp_digit r = 0;
    sp_digit t;
    sp_digit dv = (div >> 29) + 1;

    t = (sp_digit)(d >> 58);
    t = (t / dv) << 29;
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)(d >> 27);
    t = t / (dv << 2);
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)d;
    t = t / div;
    r += t;
    d -= (sp_int128)t * div;
    return r;
#endif
}
static WC_INLINE sp_digit sp_3072_word_div_word_52(sp_digit d, sp_digit div)
{
#if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__) || \
    defined(SP_DIV_WORD_USE_DIV)
    return d / div;
#else
    return (sp_digit)((sp_uint64)(div - d) >> 63);
#endif
}
/* Divide d in a and put remainder into r (m*d + r = a)
 * m is not calculated as it is not needed at this time.
 *
 * Full implementation.
 *
 * a  Number to be divided.
 * d  Number to divide with.
 * m  Multiplier result.
 * r  Remainder from the division.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_3072_div_52(const sp_digit* a, const sp_digit* d,
        const sp_digit* m, sp_digit* r)
{
    int i;
#ifndef WOLFSSL_SP_DIV_64
#endif
    sp_digit dv;
    sp_digit r1;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* t1 = NULL;
#else
    sp_digit t1[4 * 52 + 3];
#endif
    sp_digit* t2 = NULL;
    sp_digit* sd = NULL;
    int err = MP_OKAY;

    (void)m;

#ifdef WOLFSSL_SP_SMALL_STACK
    t1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * (4 * 52 + 3), NULL,
                                                       DYNAMIC_TYPE_TMP_BUFFER);
    if (t1 == NULL)
        err = MEMORY_E;
#endif

    (void)m;

    if (err == MP_OKAY) {
        t2 = t1 + 104 + 1;
        sd = t2 + 52 + 1;

        sp_3072_mul_d_52(sd, d, (sp_digit)1 << 48);
        sp_3072_mul_d_104(t1, a, (sp_digit)1 << 48);
        dv = sd[51];
        t1[52 + 52] += t1[52 + 52 - 1] >> 60;
        t1[52 + 52 - 1] &= 0xfffffffffffffffL;
        for (i=52; i>=0; i--) {
            r1 = sp_3072_div_word_52(t1[52 + i], t1[52 + i - 1], dv);

            sp_3072_mul_d_52(t2, sd, r1);
            (void)sp_3072_sub_52(&t1[i], &t1[i], t2);
            sp_3072_norm_52(&t1[i]);
            t1[52 + i] -= t2[52];
            t1[52 + i] += t1[52 + i - 1] >> 60;
            t1[52 + i - 1] &= 0xfffffffffffffffL;
            r1 = sp_3072_div_word_52(-t1[52 + i], -t1[52 + i - 1], dv);
            r1 -= t1[52 + i];
            sp_3072_mul_d_52(t2, sd, r1);
            (void)sp_3072_add_52(&t1[i], &t1[i], t2);
            t1[52 + i] += t1[52 + i - 1] >> 60;
            t1[52 + i - 1] &= 0xfffffffffffffffL;
        }
        t1[52 - 1] += t1[52 - 2] >> 60;
        t1[52 - 2] &= 0xfffffffffffffffL;
        r1 = sp_3072_word_div_word_52(t1[52 - 1], dv);

        sp_3072_mul_d_52(t2, sd, r1);
        sp_3072_sub_52(t1, t1, t2);
        XMEMCPY(r, t1, sizeof(*r) * 104U);
        for (i=0; i<51; i++) {
            r[i+1] += r[i] >> 60;
            r[i] &= 0xfffffffffffffffL;
        }
        sp_3072_cond_add_52(r, r, sd, r[51] >> 63);

        sp_3072_norm_52(r);
        sp_3072_rshift_52(r, r, 48);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t1 != NULL)
        XFREE(t1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
}

/* Reduce a modulo m into r. (r = a mod m)
 *
 * r  A single precision number that is the reduced result.
 * a  A single precision number that is to be reduced.
 * m  A single precision number that is the modulus to reduce with.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_3072_mod_52(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    return sp_3072_div_52(a, m, NULL, r);
}

#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(WOLFSSL_HAVE_SP_DH)
/* Modular exponentiate a to the e mod m. (r = a^e mod m)
 *
 * r     A single precision number that is the result of the operation.
 * a     A single precision number being exponentiated.
 * e     A single precision number that is the exponent.
 * bits  The number of bits in the exponent.
 * m     A single precision number that is the modulus.
 * returns  0 on success.
 * returns  MEMORY_E on dynamic memory allocation failure.
 * returns  MP_VAL when base is even or exponent is 0.
 */
static int sp_3072_mod_exp_52(sp_digit* r, const sp_digit* a, const sp_digit* e,
    int bits, const sp_digit* m, int reduceA)
{
#if defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_FAST_MODEXP)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 104];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 52 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 52 * 2);
            XMEMSET(t[i], 0, sizeof(sp_digit) * 52U * 2U);
        }

        sp_3072_mont_setup(m, &mp);
        sp_3072_mont_norm_52(norm, m);

        if (reduceA != 0) {
            err = sp_3072_mod_52(t[1], a, m);
        }
        else {
            XMEMCPY(t[1], a, sizeof(sp_digit) * 52U);
        }
    }
    if (err == MP_OKAY) {
        sp_3072_mul_52(t[1], t[1], norm);
        err = sp_3072_mod_52(t[1], t[1], m);
    }

    if (err == MP_OKAY) {
        i = bits / 60;
        c = bits % 60;
        n = e[i--] << (60 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 60;
            }

            y = (int)((n >> 59) & 1);
            n <<= 1;

            sp_3072_mont_mul_52(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 52 * 2);
            sp_3072_mont_sqr_52(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 52 * 2);
        }

        sp_3072_mont_reduce_52(t[0], m, mp);
        n = sp_3072_cmp_52(t[0], m);
        sp_3072_cond_sub_52(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 52 * 2);

    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#elif !defined(WC_NO_CACHE_RESISTANT)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 104];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 52 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 52 * 2);
        }

        sp_3072_mont_setup(m, &mp);
        sp_3072_mont_norm_52(norm, m);

        if (reduceA != 0) {
            err = sp_3072_mod_52(t[1], a, m);
            if (err == MP_OKAY) {
                sp_3072_mul_52(t[1], t[1], norm);
                err = sp_3072_mod_52(t[1], t[1], m);
            }
        }
        else {
            sp_3072_mul_52(t[1], a, norm);
            err = sp_3072_mod_52(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        i = bits / 60;
        c = bits % 60;
        n = e[i--] << (60 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 60;
            }

            y = (int)((n >> 59) & 1);
            n <<= 1;

            sp_3072_mont_mul_52(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 52 * 2);
            sp_3072_mont_sqr_52(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 52 * 2);
        }

        sp_3072_mont_reduce_52(t[0], m, mp);
        n = sp_3072_cmp_52(t[0], m);
        sp_3072_cond_sub_52(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 52 * 2);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[(16 * 104) + 104];
#endif
    sp_digit* t[16];
    sp_digit* rt = NULL;
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * ((16 * 104) + 104), NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<16; i++)
            t[i] = td + i * 104;
        rt = td + 1664;

        sp_3072_mont_setup(m, &mp);
        sp_3072_mont_norm_52(norm, m);

        if (reduceA != 0) {
            err = sp_3072_mod_52(t[1], a, m);
            if (err == MP_OKAY) {
                sp_3072_mul_52(t[1], t[1], norm);
                err = sp_3072_mod_52(t[1], t[1], m);
            }
        }
        else {
            sp_3072_mul_52(t[1], a, norm);
            err = sp_3072_mod_52(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        sp_3072_mont_sqr_52(t[ 2], t[ 1], m, mp);
        sp_3072_mont_mul_52(t[ 3], t[ 2], t[ 1], m, mp);
        sp_3072_mont_sqr_52(t[ 4], t[ 2], m, mp);
        sp_3072_mont_mul_52(t[ 5], t[ 3], t[ 2], m, mp);
        sp_3072_mont_sqr_52(t[ 6], t[ 3], m, mp);
        sp_3072_mont_mul_52(t[ 7], t[ 4], t[ 3], m, mp);
        sp_3072_mont_sqr_52(t[ 8], t[ 4], m, mp);
        sp_3072_mont_mul_52(t[ 9], t[ 5], t[ 4], m, mp);
        sp_3072_mont_sqr_52(t[10], t[ 5], m, mp);
        sp_3072_mont_mul_52(t[11], t[ 6], t[ 5], m, mp);
        sp_3072_mont_sqr_52(t[12], t[ 6], m, mp);
        sp_3072_mont_mul_52(t[13], t[ 7], t[ 6], m, mp);
        sp_3072_mont_sqr_52(t[14], t[ 7], m, mp);
        sp_3072_mont_mul_52(t[15], t[ 8], t[ 7], m, mp);

        bits = ((bits + 3) / 4) * 4;
        i = ((bits + 59) / 60) - 1;
        c = bits % 60;
        if (c == 0) {
            c = 60;
        }
        if (i < 52) {
            n = e[i--] << (64 - c);
        }
        else {
            n = 0;
            i--;
        }
        if (c < 4) {
            n |= e[i--] << (4 - c);
            c += 60;
        }
        y = (int)((n >> 60) & 0xf);
        n <<= 4;
        c -= 4;
        XMEMCPY(rt, t[y], sizeof(sp_digit) * 104);
        while ((i >= 0) || (c >= 4)) {
            if (c >= 4) {
                y = (byte)((n >> 60) & 0xf);
                n <<= 4;
                c -= 4;
            }
            else if (c == 0) {
                n = e[i--] << 4;
                y = (byte)((n >> 60) & 0xf);
                n <<= 4;
                c = 56;
            }
            else {
                y = (byte)((n >> 60) & 0xf);
                n = e[i--] << 4;
                c = 4 - c;
                y |= (byte)((n >> (64 - c)) & ((1 << c) - 1));
                n <<= c;
                c = 60 - c;
            }

            sp_3072_mont_sqr_52(rt, rt, m, mp);
            sp_3072_mont_sqr_52(rt, rt, m, mp);
            sp_3072_mont_sqr_52(rt, rt, m, mp);
            sp_3072_mont_sqr_52(rt, rt, m, mp);

            sp_3072_mont_mul_52(rt, rt, t[y], m, mp);
        }

        sp_3072_mont_reduce_52(rt, m, mp);
        n = sp_3072_cmp_52(rt, m);
        sp_3072_cond_sub_52(rt, rt, m, ~(n >> 63));
        XMEMCPY(r, rt, sizeof(sp_digit) * 104);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#endif
}

#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
#ifdef WOLFSSL_HAVE_SP_RSA
/* RSA public key operation.
 *
 * in      Array of bytes representing the number to exponentiate, base.
 * inLen   Number of bytes in base.
 * em      Public exponent.
 * mm      Modulus.
 * out     Buffer to hold big-endian bytes of exponentiation result.
 *         Must be at least 384 bytes long.
 * outLen  Number of bytes in result.
 * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
 * an array is too long and MEMORY_E when dynamic memory allocation fails.
 */
int sp_RsaPublic_3072(const byte* in, word32 inLen, const mp_int* em,
    const mp_int* mm, byte* out, word32* outLen)
{
#ifdef WOLFSSL_SP_SMALL
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* a = NULL;
#else
    sp_digit a[52 * 5];
#endif
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    sp_digit* norm = NULL;
    sp_uint64 e[1] = {0};
    sp_digit mp = 0;
    int i;
    int err = MP_OKAY;

    if (*outLen < 384U) {
        err = MP_TO_E;
    }

    if (err == MP_OKAY) {
        if (mp_count_bits(em) > 64) {
            err = MP_READ_E;
        }
        else if (inLen > 384U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 3072) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        a = (sp_digit*)XMALLOC(sizeof(sp_digit) * 52 * 5, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (a == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        r = a + 52 * 2;
        m = r + 52 * 2;
        norm = r;

        sp_3072_from_bin(a, 52, in, inLen);
#if DIGIT_BIT >= 64
        e[0] = (sp_uint64)em->dp[0];
#else
        e[0] = (sp_uint64)em->dp[0];
        if (em->used > 1) {
            e[0] |= ((sp_uint64)em->dp[1]) << DIGIT_BIT;
        }
#endif
        if (e[0] == 0) {
            err = MP_EXPTMOD_E;
        }
    }

    if (err == MP_OKAY) {
        sp_3072_from_mp(m, 52, mm);

        sp_3072_mont_setup(m, &mp);
        sp_3072_mont_norm_52(norm, m);
    }
    if (err == MP_OKAY) {
        sp_3072_mul_52(a, a, norm);
        err = sp_3072_mod_52(a, a, m);
    }
    if (err == MP_OKAY) {
        for (i=63; i>=0; i--) {
            if ((e[0] >> i) != 0) {
                break;
            }
        }

        XMEMCPY(r, a, sizeof(sp_digit) * 52 * 2);
        for (i--; i>=0; i--) {
            sp_3072_mont_sqr_52(r, r, m, mp);

            if (((e[0] >> i) & 1) == 1) {
                sp_3072_mont_mul_52(r, r, a, m, mp);
            }
        }
        sp_3072_mont_reduce_52(r, m, mp);
        mp = sp_3072_cmp_52(r, m);
        sp_3072_cond_sub_52(r, r, m, ~(mp >> 63));

        sp_3072_to_bin_52(r, out);
        *outLen = 384;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (a != NULL)
        XFREE(a, NULL, DYNAMIC_TYPE_RSA);
#endif

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* d = NULL;
#else
    sp_digit d[52 * 5];
#endif
    sp_digit* a = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    sp_uint64 e[1] = {0};
    int err = MP_OKAY;

    if (*outLen < 384U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (mp_count_bits(em) > 64) {
            err = MP_READ_E;
        }
        else if (inLen > 384U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 3072) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 52 * 5, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (d == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        a = d;
        r = a + 52 * 2;
        m = r + 52 * 2;

        sp_3072_from_bin(a, 52, in, inLen);
#if DIGIT_BIT >= 64
        e[0] = (sp_uint64)em->dp[0];
#else
        e[0] = (sp_uint64)em->dp[0];
        if (em->used > 1) {
            e[0] |= ((sp_uint64)em->dp[1]) << DIGIT_BIT;
        }
#endif
        if (e[0] == 0) {
            err = MP_EXPTMOD_E;
        }
    }
    if (err == MP_OKAY) {
        sp_3072_from_mp(m, 52, mm);

        if (e[0] == 0x3) {
            sp_3072_sqr_52(r, a);
            err = sp_3072_mod_52(r, r, m);
            if (err == MP_OKAY) {
                sp_3072_mul_52(r, a, r);
                err = sp_3072_mod_52(r, r, m);
            }
        }
        else {
            sp_digit* norm = r;
            int i;
            sp_digit mp;

            sp_3072_mont_setup(m, &mp);
            sp_3072_mont_norm_52(norm, m);

            sp_3072_mul_52(a, a, norm);
            err = sp_3072_mod_52(a, a, m);

            if (err == MP_OKAY) {
                for (i=63; i>=0; i--) {
                    if ((e[0] >> i) != 0) {
                        break;
                    }
                }

                XMEMCPY(r, a, sizeof(sp_digit) * 104U);
                for (i--; i>=0; i--) {
                    sp_3072_mont_sqr_52(r, r, m, mp);

                    if (((e[0] >> i) & 1) == 1) {
                        sp_3072_mont_mul_52(r, r, a, m, mp);
                    }
                }
                sp_3072_mont_reduce_52(r, m, mp);
                mp = sp_3072_cmp_52(r, m);
                sp_3072_cond_sub_52(r, r, m, ~(mp >> 63));
            }
        }
    }

    if (err == MP_OKAY) {
        sp_3072_to_bin_52(r, out);
        *outLen = 384;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (d != NULL)
        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
#endif

    return err;
#endif /* WOLFSSL_SP_SMALL */
}

#ifndef WOLFSSL_RSA_PUBLIC_ONLY
#if !defined(SP_RSA_PRIVATE_EXP_D) && !defined(RSA_LOW_MEM)
#endif /* !SP_RSA_PRIVATE_EXP_D & !RSA_LOW_MEM */
/* RSA private key operation.
 *
 * in      Array of bytes representing the number to exponentiate, base.
 * inLen   Number of bytes in base.
 * dm      Private exponent.
 * pm      First prime.
 * qm      Second prime.
 * dpm     First prime's CRT exponent.
 * dqm     Second prime's CRT exponent.
 * qim     Inverse of second prime mod p.
 * mm      Modulus.
 * out     Buffer to hold big-endian bytes of exponentiation result.
 *         Must be at least 384 bytes long.
 * outLen  Number of bytes in result.
 * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
 * an array is too long and MEMORY_E when dynamic memory allocation fails.
 */
int sp_RsaPrivate_3072(const byte* in, word32 inLen, const mp_int* dm,
    const mp_int* pm, const mp_int* qm, const mp_int* dpm, const mp_int* dqm,
    const mp_int* qim, const mp_int* mm, byte* out, word32* outLen)
{
#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
#if defined(WOLFSSL_SP_SMALL)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* d = NULL;
#else
    sp_digit  d[52 * 4];
#endif
    sp_digit* a = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)pm;
    (void)qm;
    (void)dpm;
    (void)dqm;
    (void)qim;

    if (*outLen < 384U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (mp_count_bits(dm) > 3072) {
           err = MP_READ_E;
        }
        else if (inLen > 384) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 3072) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 52 * 4, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (d == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        a = d + 52;
        m = a + 104;
        r = a;

        sp_3072_from_bin(a, 52, in, inLen);
        sp_3072_from_mp(d, 52, dm);
        sp_3072_from_mp(m, 52, mm);
        err = sp_3072_mod_exp_52(r, a, d, 3072, m, 0);
    }

    if (err == MP_OKAY) {
        sp_3072_to_bin_52(r, out);
        *outLen = 384;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (d != NULL)
#endif
    {
        /* only "a" and "r" are sensitive and need zeroized (same pointer) */
        if (a != NULL)
            ForceZero(a, sizeof(sp_digit) * 52);
#ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
#endif
    }

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* d = NULL;
#else
    sp_digit d[52 * 4];
#endif
    sp_digit* a = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)pm;
    (void)qm;
    (void)dpm;
    (void)dqm;
    (void)qim;

    if (*outLen < 384U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (mp_count_bits(dm) > 3072) {
            err = MP_READ_E;
        }
        else if (inLen > 384U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 3072) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 52 * 4, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (d == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        a = d + 52;
        m = a + 104;
        r = a;

        sp_3072_from_bin(a, 52, in, inLen);
        sp_3072_from_mp(d, 52, dm);
        sp_3072_from_mp(m, 52, mm);
        err = sp_3072_mod_exp_52(r, a, d, 3072, m, 0);
    }

    if (err == MP_OKAY) {
        sp_3072_to_bin_52(r, out);
        *outLen = 384;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (d != NULL)
#endif
    {
        /* only "a" and "r" are sensitive and need zeroized (same pointer) */
        if (a != NULL)
            ForceZero(a, sizeof(sp_digit) * 52);
#ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
#endif
    }

    return err;
#endif /* WOLFSSL_SP_SMALL */
#else
#if defined(WOLFSSL_SP_SMALL)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* a = NULL;
#else
    sp_digit a[26 * 8];
#endif
    sp_digit* p = NULL;
    sp_digit* dp = NULL;
    sp_digit* dq = NULL;
    sp_digit* qi = NULL;
    sp_digit* tmpa = NULL;
    sp_digit* tmpb = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)dm;
    (void)mm;

    if (*outLen < 384U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (inLen > 384) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 3072) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(pm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(qm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        a = (sp_digit*)XMALLOC(sizeof(sp_digit) * 26 * 8, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (a == NULL)
            err = MEMORY_E;
    }
#endif
    if (err == MP_OKAY) {
        p = a + 52;
        qi = dq = dp = p + 26;
        tmpa = qi + 26;
        tmpb = tmpa + 52;
        r = a;

        sp_3072_from_bin(a, 52, in, inLen);
        sp_3072_from_mp(p, 26, pm);
        sp_3072_from_mp(dp, 26, dpm);
        err = sp_3072_mod_exp_26(tmpa, a, dp, 1536, p, 1);
    }
    if (err == MP_OKAY) {
        sp_3072_from_mp(p, 26, qm);
        sp_3072_from_mp(dq, 26, dqm);
        err = sp_3072_mod_exp_26(tmpb, a, dq, 1536, p, 1);
    }
    if (err == MP_OKAY) {
        sp_3072_from_mp(p, 26, pm);
        (void)sp_3072_sub_26(tmpa, tmpa, tmpb);
        sp_3072_norm_26(tmpa);
        sp_3072_cond_add_26(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[25] >> 63));
        sp_3072_cond_add_26(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[25] >> 63));
        sp_3072_norm_26(tmpa);

        sp_3072_from_mp(qi, 26, qim);
        sp_3072_mul_26(tmpa, tmpa, qi);
        err = sp_3072_mod_26(tmpa, tmpa, p);
    }

    if (err == MP_OKAY) {
        sp_3072_from_mp(p, 26, qm);
        sp_3072_mul_26(tmpa, p, tmpa);
        (void)sp_3072_add_52(r, tmpb, tmpa);
        sp_3072_norm_52(r);

        sp_3072_to_bin_52(r, out);
        *outLen = 384;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (a != NULL)
#endif
    {
        ForceZero(a, sizeof(sp_digit) * 26 * 8);
#ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(a, NULL, DYNAMIC_TYPE_RSA);
#endif
    }

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* a = NULL;
#else
    sp_digit a[26 * 13];
#endif
    sp_digit* p = NULL;
    sp_digit* q = NULL;
    sp_digit* dp = NULL;
    sp_digit* dq = NULL;
    sp_digit* qi = NULL;
    sp_digit* tmpa = NULL;
    sp_digit* tmpb = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)dm;
    (void)mm;

    if (*outLen < 384U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (inLen > 384U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 3072) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(pm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(qm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        a = (sp_digit*)XMALLOC(sizeof(sp_digit) * 26 * 13, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (a == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        p = a + 52 * 2;
        q = p + 26;
        dp = q + 26;
        dq = dp + 26;
        qi = dq + 26;
        tmpa = qi + 26;
        tmpb = tmpa + 52;
        r = a;

        sp_3072_from_bin(a, 52, in, inLen);
        sp_3072_from_mp(p, 26, pm);
        sp_3072_from_mp(q, 26, qm);
        sp_3072_from_mp(dp, 26, dpm);
        sp_3072_from_mp(dq, 26, dqm);
        sp_3072_from_mp(qi, 26, qim);

        err = sp_3072_mod_exp_26(tmpa, a, dp, 1536, p, 1);
    }
    if (err == MP_OKAY) {
        err = sp_3072_mod_exp_26(tmpb, a, dq, 1536, q, 1);
    }

    if (err == MP_OKAY) {
        (void)sp_3072_sub_26(tmpa, tmpa, tmpb);
        sp_3072_norm_26(tmpa);
        sp_3072_cond_add_26(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[25] >> 63));
        sp_3072_cond_add_26(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[25] >> 63));
        sp_3072_norm_26(tmpa);
        sp_3072_mul_26(tmpa, tmpa, qi);
        err = sp_3072_mod_26(tmpa, tmpa, p);
    }

    if (err == MP_OKAY) {
        sp_3072_mul_26(tmpa, tmpa, q);
        (void)sp_3072_add_52(r, tmpb, tmpa);
        sp_3072_norm_52(r);

        sp_3072_to_bin_52(r, out);
        *outLen = 384;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
if (a != NULL)
#endif
    {
        ForceZero(a, sizeof(sp_digit) * 26 * 13);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(a, NULL, DYNAMIC_TYPE_RSA);
    #endif
    }

    return err;
#endif /* WOLFSSL_SP_SMALL */
#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
}

#endif /* !WOLFSSL_RSA_PUBLIC_ONLY */
#endif /* WOLFSSL_HAVE_SP_RSA */
#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
/* Convert an array of sp_digit to an mp_int.
 *
 * a  A single precision integer.
 * r  A multi-precision integer.
 */
static int sp_3072_to_mp(const sp_digit* a, mp_int* r)
{
    int err;

    err = mp_grow(r, (3072 + DIGIT_BIT - 1) / DIGIT_BIT);
    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
#if DIGIT_BIT == 60
        XMEMCPY(r->dp, a, sizeof(sp_digit) * 52);
        r->used = 52;
        mp_clamp(r);
#elif DIGIT_BIT < 60
        int i;
        int j = 0;
        int s = 0;

        r->dp[0] = 0;
        for (i = 0; i < 52; i++) {
            r->dp[j] |= (mp_digit)(a[i] << s);
            r->dp[j] &= ((sp_digit)1 << DIGIT_BIT) - 1;
            s = DIGIT_BIT - s;
            r->dp[++j] = (mp_digit)(a[i] >> s);
            while (s + DIGIT_BIT <= 60) {
                s += DIGIT_BIT;
                r->dp[j++] &= ((sp_digit)1 << DIGIT_BIT) - 1;
                if (s == SP_WORD_SIZE) {
                    r->dp[j] = 0;
                }
                else {
                    r->dp[j] = (mp_digit)(a[i] >> s);
                }
            }
            s = 60 - s;
        }
        r->used = (3072 + DIGIT_BIT - 1) / DIGIT_BIT;
        mp_clamp(r);
#else
        int i;
        int j = 0;
        int s = 0;

        r->dp[0] = 0;
        for (i = 0; i < 52; i++) {
            r->dp[j] |= ((mp_digit)a[i]) << s;
            if (s + 60 >= DIGIT_BIT) {
    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
                r->dp[j] &= ((sp_digit)1 << DIGIT_BIT) - 1;
    #endif
                s = DIGIT_BIT - s;
                r->dp[++j] = a[i] >> s;
                s = 60 - s;
            }
            else {
                s += 60;
            }
        }
        r->used = (3072 + DIGIT_BIT - 1) / DIGIT_BIT;
        mp_clamp(r);
#endif
    }

    return err;
}

/* Perform the modular exponentiation for Diffie-Hellman.
 *
 * base  Base. MP integer.
 * exp   Exponent. MP integer.
 * mod   Modulus. MP integer.
 * res   Result. MP integer.
 * returns 0 on success, MP_READ_E if there are too many bytes in an array
 * and MEMORY_E if memory allocation fails.
 */
int sp_ModExp_3072(const mp_int* base, const mp_int* exp, const mp_int* mod,
    mp_int* res)
{
#ifdef WOLFSSL_SP_SMALL
    int err = MP_OKAY;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[52 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int expBits = mp_count_bits(exp);

    if (mp_count_bits(base) > 3072) {
        err = MP_READ_E;
    }
    else if (expBits > 3072) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 3072) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 52 * 4, NULL,
            DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 52 * 2;
        m = e + 52;
        r = b;

        sp_3072_from_mp(b, 52, base);
        sp_3072_from_mp(e, 52, exp);
        sp_3072_from_mp(m, 52, mod);

        err = sp_3072_mod_exp_52(r, b, e, mp_count_bits(exp), m, 0);
    }

    if (err == MP_OKAY) {
        err = sp_3072_to_mp(r, res);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 52U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }
    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[52 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;
    int expBits = mp_count_bits(exp);

    if (mp_count_bits(base) > 3072) {
        err = MP_READ_E;
    }
    else if (expBits > 3072) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 3072) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 52 * 4, NULL, DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 52 * 2;
        m = e + 52;
        r = b;

        sp_3072_from_mp(b, 52, base);
        sp_3072_from_mp(e, 52, exp);
        sp_3072_from_mp(m, 52, mod);

        err = sp_3072_mod_exp_52(r, b, e, expBits, m, 0);
    }

    if (err == MP_OKAY) {
        err = sp_3072_to_mp(r, res);
    }


#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 52U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }

    return err;
#endif
}

#ifdef WOLFSSL_HAVE_SP_DH

#ifdef HAVE_FFDHE_3072
SP_NOINLINE static void sp_3072_lshift_52(sp_digit* r, const sp_digit* a,
        byte n)
{
    int i;

    r[52] = a[51] >> (60 - n);
    for (i=51; i>0; i--) {
        r[i] = ((a[i] << n) | (a[i-1] >> (60 - n))) & 0xfffffffffffffffL;
    }
    r[0] = (a[0] << n) & 0xfffffffffffffffL;
}

/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
 *
 * r     A single precision number that is the result of the operation.
 * e     A single precision number that is the exponent.
 * bits  The number of bits in the exponent.
 * m     A single precision number that is the modulus.
 * returns  0 on success.
 * returns  MEMORY_E on dynamic memory allocation failure.
 * returns  MP_VAL when base is even.
 */
static int sp_3072_mod_exp_2_52(sp_digit* r, const sp_digit* e, int bits, const sp_digit* m)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[157];
#endif
    sp_digit* norm = NULL;
    sp_digit* tmp = NULL;
    sp_digit mp = 1;
    sp_digit n;
    sp_digit o;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 157, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        tmp  = td + 104;
        XMEMSET(td, 0, sizeof(sp_digit) * 157);

        sp_3072_mont_setup(m, &mp);
        sp_3072_mont_norm_52(norm, m);

        bits = ((bits + 4) / 5) * 5;
        i = ((bits + 59) / 60) - 1;
        c = bits % 60;
        if (c == 0) {
            c = 60;
        }
        if (i < 52) {
            n = e[i--] << (64 - c);
        }
        else {
            n = 0;
            i--;
        }
        if (c < 5) {
            n |= e[i--] << (4 - c);
            c += 60;
        }
        y = (int)((n >> 59) & 0x1f);
        n <<= 5;
        c -= 5;
        sp_3072_lshift_52(r, norm, (byte)y);
        while ((i >= 0) || (c >= 5)) {
            if (c >= 5) {
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c -= 5;
            }
            else if (c == 0) {
                n = e[i--] << 4;
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c = 55;
            }
            else {
                y = (byte)((n >> 59) & 0x1f);
                n = e[i--] << 4;
                c = 5 - c;
                y |= (byte)((n >> (64 - c)) & ((1 << c) - 1));
                n <<= c;
                c = 60 - c;
            }

            sp_3072_mont_sqr_52(r, r, m, mp);
            sp_3072_mont_sqr_52(r, r, m, mp);
            sp_3072_mont_sqr_52(r, r, m, mp);
            sp_3072_mont_sqr_52(r, r, m, mp);
            sp_3072_mont_sqr_52(r, r, m, mp);

            sp_3072_lshift_52(r, r, (byte)y);
            sp_3072_mul_d_52(tmp, norm, (r[52] << 48) + (r[51] >> 12));
            r[52] = 0;
            r[51] &= 0xfffL;
            (void)sp_3072_add_52(r, r, tmp);
            sp_3072_norm_52(r);
            o = sp_3072_cmp_52(r, m);
            sp_3072_cond_sub_52(r, r, m, ~(o >> 63));
        }

        sp_3072_mont_reduce_52(r, m, mp);
        n = sp_3072_cmp_52(r, m);
        sp_3072_cond_sub_52(r, r, m, ~(n >> 63));
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
}

#endif /* HAVE_FFDHE_3072 */

/* Perform the modular exponentiation for Diffie-Hellman.
 *
 * base     Base.
 * exp      Array of bytes that is the exponent.
 * expLen   Length of data, in bytes, in exponent.
 * mod      Modulus.
 * out      Buffer to hold big-endian bytes of exponentiation result.
 *          Must be at least 384 bytes long.
 * outLen   Length, in bytes, of exponentiation result.
 * returns 0 on success, MP_READ_E if there are too many bytes in an array
 * and MEMORY_E if memory allocation fails.
 */
int sp_DhExp_3072(const mp_int* base, const byte* exp, word32 expLen,
    const mp_int* mod, byte* out, word32* outLen)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[52 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    word32 i;
    int err = MP_OKAY;

    if (mp_count_bits(base) > 3072) {
        err = MP_READ_E;
    }
    else if (expLen > 384U) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 3072) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 52 * 4, NULL,
            DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 52 * 2;
        m = e + 52;
        r = b;

        sp_3072_from_mp(b, 52, base);
        sp_3072_from_bin(e, 52, exp, expLen);
        sp_3072_from_mp(m, 52, mod);

    #ifdef HAVE_FFDHE_3072
        if (base->used == 1 && base->dp[0] == 2U &&
                ((m[51] << 20) | (m[50] >> 40)) == 0xffffffffL) {
            err = sp_3072_mod_exp_2_52(r, e, expLen * 8U, m);
        }
        else {
    #endif
            err = sp_3072_mod_exp_52(r, b, e, expLen * 8U, m, 0);
    #ifdef HAVE_FFDHE_3072
        }
    #endif
    }

    if (err == MP_OKAY) {
        sp_3072_to_bin_52(r, out);
        *outLen = 384;
        for (i=0; i<384U && out[i] == 0U; i++) {
            /* Search for first non-zero. */
        }
        *outLen -= i;
        XMEMMOVE(out, out + i, *outLen);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 52U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }

    return err;
}
#endif /* WOLFSSL_HAVE_SP_DH */

/* Perform the modular exponentiation for Diffie-Hellman.
 *
 * base  Base. MP integer.
 * exp   Exponent. MP integer.
 * mod   Modulus. MP integer.
 * res   Result. MP integer.
 * returns 0 on success, MP_READ_E if there are too many bytes in an array
 * and MEMORY_E if memory allocation fails.
 */
int sp_ModExp_1536(const mp_int* base, const mp_int* exp, const mp_int* mod,
    mp_int* res)
{
#ifdef WOLFSSL_SP_SMALL
    int err = MP_OKAY;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[26 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int expBits = mp_count_bits(exp);

    if (mp_count_bits(base) > 1536) {
        err = MP_READ_E;
    }
    else if (expBits > 1536) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 1536) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 26 * 4, NULL,
            DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 26 * 2;
        m = e + 26;
        r = b;

        sp_3072_from_mp(b, 26, base);
        sp_3072_from_mp(e, 26, exp);
        sp_3072_from_mp(m, 26, mod);

        err = sp_3072_mod_exp_26(r, b, e, mp_count_bits(exp), m, 0);
    }

    if (err == MP_OKAY) {
        XMEMSET(r + 26, 0, sizeof(*r) * 26U);
        err = sp_3072_to_mp(r, res);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 52U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }
    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[26 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;
    int expBits = mp_count_bits(exp);

    if (mp_count_bits(base) > 1536) {
        err = MP_READ_E;
    }
    else if (expBits > 1536) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 1536) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 26 * 4, NULL, DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 26 * 2;
        m = e + 26;
        r = b;

        sp_3072_from_mp(b, 26, base);
        sp_3072_from_mp(e, 26, exp);
        sp_3072_from_mp(m, 26, mod);

        err = sp_3072_mod_exp_26(r, b, e, expBits, m, 0);
    }

    if (err == MP_OKAY) {
        XMEMSET(r + 26, 0, sizeof(*r) * 26U);
        err = sp_3072_to_mp(r, res);
    }


#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 52U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }

    return err;
#endif
}

#endif /* WOLFSSL_HAVE_SP_DH | (WOLFSSL_HAVE_SP_RSA & !WOLFSSL_RSA_PUBLIC_ONLY) */

#else
/* Read big endian unsigned byte array into r.
 *
 * r  A single precision integer.
 * size  Maximum number of bytes to convert
 * a  Byte array.
 * n  Number of bytes in array to read.
 */
static void sp_3072_from_bin(sp_digit* r, int size, const byte* a, int n)
{
    int i;
    int j = 0;
    word32 s = 0;

    r[0] = 0;
    for (i = n-1; i >= 0; i--) {
        r[j] |= (((sp_digit)a[i]) << s);
        if (s >= 49U) {
            r[j] &= 0x1ffffffffffffffL;
            s = 57U - s;
            if (j + 1 >= size) {
                break;
            }
            r[++j] = (sp_digit)a[i] >> s;
            s = 8U - s;
        }
        else {
            s += 8U;
        }
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
}

/* Convert an mp_int to an array of sp_digit.
 *
 * r  A single precision integer.
 * size  Maximum number of bytes to convert
 * a  A multi-precision integer.
 */
static void sp_3072_from_mp(sp_digit* r, int size, const mp_int* a)
{
#if DIGIT_BIT == 57
    int i;
    sp_digit j = (sp_digit)0 - (sp_digit)a->used;
    int o = 0;

    for (i = 0; i < size; i++) {
        sp_digit mask = (sp_digit)0 - (j >> 56);
        r[i] = a->dp[o] & mask;
        j++;
        o += (int)(j >> 56);
    }
#elif DIGIT_BIT > 57
    unsigned int i;
    int j = 0;
    word32 s = 0;

    r[0] = 0;
    for (i = 0; i < (unsigned int)a->used && j < size; i++) {
        r[j] |= ((sp_digit)a->dp[i] << s);
        r[j] &= 0x1ffffffffffffffL;
        s = 57U - s;
        if (j + 1 >= size) {
            break;
        }
        /* lint allow cast of mismatch word32 and mp_digit */
        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
        while ((s + 57U) <= (word32)DIGIT_BIT) {
            s += 57U;
            r[j] &= 0x1ffffffffffffffL;
            if (j + 1 >= size) {
                break;
            }
            if (s < (word32)DIGIT_BIT) {
                /* lint allow cast of mismatch word32 and mp_digit */
                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
            }
            else {
                r[++j] = (sp_digit)0;
            }
        }
        s = (word32)DIGIT_BIT - s;
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
#else
    unsigned int i;
    int j = 0;
    int s = 0;

    r[0] = 0;
    for (i = 0; i < (unsigned int)a->used && j < size; i++) {
        r[j] |= ((sp_digit)a->dp[i]) << s;
        if (s + DIGIT_BIT >= 57) {
            r[j] &= 0x1ffffffffffffffL;
            if (j + 1 >= size) {
                break;
            }
            s = 57 - s;
            if (s == DIGIT_BIT) {
                r[++j] = 0;
                s = 0;
            }
            else {
                r[++j] = a->dp[i] >> s;
                s = DIGIT_BIT - s;
            }
        }
        else {
            s += DIGIT_BIT;
        }
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
#endif
}

/* Write r as big endian to byte array.
 * Fixed length number of bytes written: 384
 *
 * r  A single precision integer.
 * a  Byte array.
 */
static void sp_3072_to_bin_54(sp_digit* r, byte* a)
{
    int i;
    int j;
    int s = 0;
    int b;

    for (i=0; i<53; i++) {
        r[i+1] += r[i] >> 57;
        r[i] &= 0x1ffffffffffffffL;
    }
    j = 3079 / 8 - 1;
    a[j] = 0;
    for (i=0; i<54 && j>=0; i++) {
        b = 0;
        /* lint allow cast of mismatch sp_digit and int */
        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
        b += 8 - s;
        if (j < 0) {
            break;
        }
        while (b < 57) {
            a[j--] = (byte)(r[i] >> b);
            b += 8;
            if (j < 0) {
                break;
            }
        }
        s = 8 - (b - 57);
        if (j >= 0) {
            a[j] = 0;
        }
        if (s != 0) {
            j++;
        }
    }
}

#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(WOLFSSL_HAVE_SP_DH)
/* Normalize the values in each word to 57 bits.
 *
 * a  Array of sp_digit to normalize.
 */
static void sp_3072_norm_27(sp_digit* a)
{
    int i;
    for (i = 0; i < 24; i += 8) {
        a[i+1] += a[i+0] >> 57; a[i+0] &= 0x1ffffffffffffffL;
        a[i+2] += a[i+1] >> 57; a[i+1] &= 0x1ffffffffffffffL;
        a[i+3] += a[i+2] >> 57; a[i+2] &= 0x1ffffffffffffffL;
        a[i+4] += a[i+3] >> 57; a[i+3] &= 0x1ffffffffffffffL;
        a[i+5] += a[i+4] >> 57; a[i+4] &= 0x1ffffffffffffffL;
        a[i+6] += a[i+5] >> 57; a[i+5] &= 0x1ffffffffffffffL;
        a[i+7] += a[i+6] >> 57; a[i+6] &= 0x1ffffffffffffffL;
        a[i+8] += a[i+7] >> 57; a[i+7] &= 0x1ffffffffffffffL;
    }
    a[25] += a[24] >> 57; a[24] &= 0x1ffffffffffffffL;
    a[26] += a[25] >> 57; a[25] &= 0x1ffffffffffffffL;
}

#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
/* Normalize the values in each word to 57 bits.
 *
 * a  Array of sp_digit to normalize.
 */
static void sp_3072_norm_54(sp_digit* a)
{
    int i;
    for (i = 0; i < 48; i += 8) {
        a[i+1] += a[i+0] >> 57; a[i+0] &= 0x1ffffffffffffffL;
        a[i+2] += a[i+1] >> 57; a[i+1] &= 0x1ffffffffffffffL;
        a[i+3] += a[i+2] >> 57; a[i+2] &= 0x1ffffffffffffffL;
        a[i+4] += a[i+3] >> 57; a[i+3] &= 0x1ffffffffffffffL;
        a[i+5] += a[i+4] >> 57; a[i+4] &= 0x1ffffffffffffffL;
        a[i+6] += a[i+5] >> 57; a[i+5] &= 0x1ffffffffffffffL;
        a[i+7] += a[i+6] >> 57; a[i+6] &= 0x1ffffffffffffffL;
        a[i+8] += a[i+7] >> 57; a[i+7] &= 0x1ffffffffffffffL;
    }
    a[49] += a[48] >> 57; a[48] &= 0x1ffffffffffffffL;
    a[50] += a[49] >> 57; a[49] &= 0x1ffffffffffffffL;
    a[51] += a[50] >> 57; a[50] &= 0x1ffffffffffffffL;
    a[52] += a[51] >> 57; a[51] &= 0x1ffffffffffffffL;
    a[53] += a[52] >> 57; a[52] &= 0x1ffffffffffffffL;
}

#ifndef WOLFSSL_SP_SMALL
/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_3072_mul_9(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    sp_uint128 t0;
    sp_uint128 t1;
    sp_digit t[9];

    t0 = ((sp_uint128)a[ 0]) * b[ 0];
    t1 = ((sp_uint128)a[ 0]) * b[ 1]
       + ((sp_uint128)a[ 1]) * b[ 0];
    t[ 0] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_uint128)a[ 0]) * b[ 2]
       + ((sp_uint128)a[ 1]) * b[ 1]
       + ((sp_uint128)a[ 2]) * b[ 0];
    t[ 1] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = ((sp_uint128)a[ 0]) * b[ 3]
       + ((sp_uint128)a[ 1]) * b[ 2]
       + ((sp_uint128)a[ 2]) * b[ 1]
       + ((sp_uint128)a[ 3]) * b[ 0];
    t[ 2] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_uint128)a[ 0]) * b[ 4]
       + ((sp_uint128)a[ 1]) * b[ 3]
       + ((sp_uint128)a[ 2]) * b[ 2]
       + ((sp_uint128)a[ 3]) * b[ 1]
       + ((sp_uint128)a[ 4]) * b[ 0];
    t[ 3] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = ((sp_uint128)a[ 0]) * b[ 5]
       + ((sp_uint128)a[ 1]) * b[ 4]
       + ((sp_uint128)a[ 2]) * b[ 3]
       + ((sp_uint128)a[ 3]) * b[ 2]
       + ((sp_uint128)a[ 4]) * b[ 1]
       + ((sp_uint128)a[ 5]) * b[ 0];
    t[ 4] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_uint128)a[ 0]) * b[ 6]
       + ((sp_uint128)a[ 1]) * b[ 5]
       + ((sp_uint128)a[ 2]) * b[ 4]
       + ((sp_uint128)a[ 3]) * b[ 3]
       + ((sp_uint128)a[ 4]) * b[ 2]
       + ((sp_uint128)a[ 5]) * b[ 1]
       + ((sp_uint128)a[ 6]) * b[ 0];
    t[ 5] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = ((sp_uint128)a[ 0]) * b[ 7]
       + ((sp_uint128)a[ 1]) * b[ 6]
       + ((sp_uint128)a[ 2]) * b[ 5]
       + ((sp_uint128)a[ 3]) * b[ 4]
       + ((sp_uint128)a[ 4]) * b[ 3]
       + ((sp_uint128)a[ 5]) * b[ 2]
       + ((sp_uint128)a[ 6]) * b[ 1]
       + ((sp_uint128)a[ 7]) * b[ 0];
    t[ 6] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_uint128)a[ 0]) * b[ 8]
       + ((sp_uint128)a[ 1]) * b[ 7]
       + ((sp_uint128)a[ 2]) * b[ 6]
       + ((sp_uint128)a[ 3]) * b[ 5]
       + ((sp_uint128)a[ 4]) * b[ 4]
       + ((sp_uint128)a[ 5]) * b[ 3]
       + ((sp_uint128)a[ 6]) * b[ 2]
       + ((sp_uint128)a[ 7]) * b[ 1]
       + ((sp_uint128)a[ 8]) * b[ 0];
    t[ 7] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = ((sp_uint128)a[ 1]) * b[ 8]
       + ((sp_uint128)a[ 2]) * b[ 7]
       + ((sp_uint128)a[ 3]) * b[ 6]
       + ((sp_uint128)a[ 4]) * b[ 5]
       + ((sp_uint128)a[ 5]) * b[ 4]
       + ((sp_uint128)a[ 6]) * b[ 3]
       + ((sp_uint128)a[ 7]) * b[ 2]
       + ((sp_uint128)a[ 8]) * b[ 1];
    t[ 8] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_uint128)a[ 2]) * b[ 8]
       + ((sp_uint128)a[ 3]) * b[ 7]
       + ((sp_uint128)a[ 4]) * b[ 6]
       + ((sp_uint128)a[ 5]) * b[ 5]
       + ((sp_uint128)a[ 6]) * b[ 4]
       + ((sp_uint128)a[ 7]) * b[ 3]
       + ((sp_uint128)a[ 8]) * b[ 2];
    r[ 9] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = ((sp_uint128)a[ 3]) * b[ 8]
       + ((sp_uint128)a[ 4]) * b[ 7]
       + ((sp_uint128)a[ 5]) * b[ 6]
       + ((sp_uint128)a[ 6]) * b[ 5]
       + ((sp_uint128)a[ 7]) * b[ 4]
       + ((sp_uint128)a[ 8]) * b[ 3];
    r[10] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_uint128)a[ 4]) * b[ 8]
       + ((sp_uint128)a[ 5]) * b[ 7]
       + ((sp_uint128)a[ 6]) * b[ 6]
       + ((sp_uint128)a[ 7]) * b[ 5]
       + ((sp_uint128)a[ 8]) * b[ 4];
    r[11] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = ((sp_uint128)a[ 5]) * b[ 8]
       + ((sp_uint128)a[ 6]) * b[ 7]
       + ((sp_uint128)a[ 7]) * b[ 6]
       + ((sp_uint128)a[ 8]) * b[ 5];
    r[12] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_uint128)a[ 6]) * b[ 8]
       + ((sp_uint128)a[ 7]) * b[ 7]
       + ((sp_uint128)a[ 8]) * b[ 6];
    r[13] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = ((sp_uint128)a[ 7]) * b[ 8]
       + ((sp_uint128)a[ 8]) * b[ 7];
    r[14] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_uint128)a[ 8]) * b[ 8];
    r[15] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    r[16] = t0 & 0x1ffffffffffffffL;
    r[17] = (sp_digit)(t0 >> 57);
    XMEMCPY(r, t, sizeof(t));
}

/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_3072_add_9(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    r[ 0] = a[ 0] + b[ 0];
    r[ 1] = a[ 1] + b[ 1];
    r[ 2] = a[ 2] + b[ 2];
    r[ 3] = a[ 3] + b[ 3];
    r[ 4] = a[ 4] + b[ 4];
    r[ 5] = a[ 5] + b[ 5];
    r[ 6] = a[ 6] + b[ 6];
    r[ 7] = a[ 7] + b[ 7];
    r[ 8] = a[ 8] + b[ 8];

    return 0;
}

/* Sub b from a into r. (r = a - b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_3072_sub_18(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 16; i += 8) {
        r[i + 0] = a[i + 0] - b[i + 0];
        r[i + 1] = a[i + 1] - b[i + 1];
        r[i + 2] = a[i + 2] - b[i + 2];
        r[i + 3] = a[i + 3] - b[i + 3];
        r[i + 4] = a[i + 4] - b[i + 4];
        r[i + 5] = a[i + 5] - b[i + 5];
        r[i + 6] = a[i + 6] - b[i + 6];
        r[i + 7] = a[i + 7] - b[i + 7];
    }
    r[16] = a[16] - b[16];
    r[17] = a[17] - b[17];

    return 0;
}

/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_3072_add_18(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 16; i += 8) {
        r[i + 0] = a[i + 0] + b[i + 0];
        r[i + 1] = a[i + 1] + b[i + 1];
        r[i + 2] = a[i + 2] + b[i + 2];
        r[i + 3] = a[i + 3] + b[i + 3];
        r[i + 4] = a[i + 4] + b[i + 4];
        r[i + 5] = a[i + 5] + b[i + 5];
        r[i + 6] = a[i + 6] + b[i + 6];
        r[i + 7] = a[i + 7] + b[i + 7];
    }
    r[16] = a[16] + b[16];
    r[17] = a[17] + b[17];

    return 0;
}

/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_3072_mul_27(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    sp_digit p0[18];
    sp_digit p1[18];
    sp_digit p2[18];
    sp_digit p3[18];
    sp_digit p4[18];
    sp_digit p5[18];
    sp_digit t0[18];
    sp_digit t1[18];
    sp_digit t2[18];
    sp_digit a0[9];
    sp_digit a1[9];
    sp_digit a2[9];
    sp_digit b0[9];
    sp_digit b1[9];
    sp_digit b2[9];
    (void)sp_3072_add_9(a0, a, &a[9]);
    (void)sp_3072_add_9(b0, b, &b[9]);
    (void)sp_3072_add_9(a1, &a[9], &a[18]);
    (void)sp_3072_add_9(b1, &b[9], &b[18]);
    (void)sp_3072_add_9(a2, a0, &a[18]);
    (void)sp_3072_add_9(b2, b0, &b[18]);
    sp_3072_mul_9(p0, a, b);
    sp_3072_mul_9(p2, &a[9], &b[9]);
    sp_3072_mul_9(p4, &a[18], &b[18]);
    sp_3072_mul_9(p1, a0, b0);
    sp_3072_mul_9(p3, a1, b1);
    sp_3072_mul_9(p5, a2, b2);
    XMEMSET(r, 0, sizeof(*r)*2U*27U);
    (void)sp_3072_sub_18(t0, p3, p2);
    (void)sp_3072_sub_18(t1, p1, p2);
    (void)sp_3072_sub_18(t2, p5, t0);
    (void)sp_3072_sub_18(t2, t2, t1);
    (void)sp_3072_sub_18(t0, t0, p4);
    (void)sp_3072_sub_18(t1, t1, p0);
    (void)sp_3072_add_18(r, r, p0);
    (void)sp_3072_add_18(&r[9], &r[9], t1);
    (void)sp_3072_add_18(&r[18], &r[18], t2);
    (void)sp_3072_add_18(&r[27], &r[27], t0);
    (void)sp_3072_add_18(&r[36], &r[36], p4);
}

/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_3072_add_27(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 24; i += 8) {
        r[i + 0] = a[i + 0] + b[i + 0];
        r[i + 1] = a[i + 1] + b[i + 1];
        r[i + 2] = a[i + 2] + b[i + 2];
        r[i + 3] = a[i + 3] + b[i + 3];
        r[i + 4] = a[i + 4] + b[i + 4];
        r[i + 5] = a[i + 5] + b[i + 5];
        r[i + 6] = a[i + 6] + b[i + 6];
        r[i + 7] = a[i + 7] + b[i + 7];
    }
    r[24] = a[24] + b[24];
    r[25] = a[25] + b[25];
    r[26] = a[26] + b[26];

    return 0;
}

/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_3072_add_54(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 48; i += 8) {
        r[i + 0] = a[i + 0] + b[i + 0];
        r[i + 1] = a[i + 1] + b[i + 1];
        r[i + 2] = a[i + 2] + b[i + 2];
        r[i + 3] = a[i + 3] + b[i + 3];
        r[i + 4] = a[i + 4] + b[i + 4];
        r[i + 5] = a[i + 5] + b[i + 5];
        r[i + 6] = a[i + 6] + b[i + 6];
        r[i + 7] = a[i + 7] + b[i + 7];
    }
    r[48] = a[48] + b[48];
    r[49] = a[49] + b[49];
    r[50] = a[50] + b[50];
    r[51] = a[51] + b[51];
    r[52] = a[52] + b[52];
    r[53] = a[53] + b[53];

    return 0;
}

/* Sub b from a into r. (r = a - b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_3072_sub_54(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 48; i += 8) {
        r[i + 0] = a[i + 0] - b[i + 0];
        r[i + 1] = a[i + 1] - b[i + 1];
        r[i + 2] = a[i + 2] - b[i + 2];
        r[i + 3] = a[i + 3] - b[i + 3];
        r[i + 4] = a[i + 4] - b[i + 4];
        r[i + 5] = a[i + 5] - b[i + 5];
        r[i + 6] = a[i + 6] - b[i + 6];
        r[i + 7] = a[i + 7] - b[i + 7];
    }
    r[48] = a[48] - b[48];
    r[49] = a[49] - b[49];
    r[50] = a[50] - b[50];
    r[51] = a[51] - b[51];
    r[52] = a[52] - b[52];
    r[53] = a[53] - b[53];

    return 0;
}

/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_3072_mul_54(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    sp_digit* z0 = r;
    sp_digit z1[54];
    sp_digit* a1 = z1;
    sp_digit b1[27];
    sp_digit* z2 = r + 54;
    (void)sp_3072_add_27(a1, a, &a[27]);
    (void)sp_3072_add_27(b1, b, &b[27]);
    sp_3072_mul_27(z2, &a[27], &b[27]);
    sp_3072_mul_27(z0, a, b);
    sp_3072_mul_27(z1, a1, b1);
    (void)sp_3072_sub_54(z1, z1, z2);
    (void)sp_3072_sub_54(z1, z1, z0);
    (void)sp_3072_add_54(r + 27, r + 27, z1);
}

/* Square a and put result in r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_3072_sqr_9(sp_digit* r, const sp_digit* a)
{
    sp_uint128 t0;
    sp_uint128 t1;
    sp_digit t[9];

    t0 =  ((sp_uint128)a[ 0]) * a[ 0];
    t1 = (((sp_uint128)a[ 0]) * a[ 1]) * 2;
    t[ 0] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = (((sp_uint128)a[ 0]) * a[ 2]) * 2
       +  ((sp_uint128)a[ 1]) * a[ 1];
    t[ 1] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = (((sp_uint128)a[ 0]) * a[ 3]
       +  ((sp_uint128)a[ 1]) * a[ 2]) * 2;
    t[ 2] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = (((sp_uint128)a[ 0]) * a[ 4]
       +  ((sp_uint128)a[ 1]) * a[ 3]) * 2
       +  ((sp_uint128)a[ 2]) * a[ 2];
    t[ 3] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = (((sp_uint128)a[ 0]) * a[ 5]
       +  ((sp_uint128)a[ 1]) * a[ 4]
       +  ((sp_uint128)a[ 2]) * a[ 3]) * 2;
    t[ 4] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = (((sp_uint128)a[ 0]) * a[ 6]
       +  ((sp_uint128)a[ 1]) * a[ 5]
       +  ((sp_uint128)a[ 2]) * a[ 4]) * 2
       +  ((sp_uint128)a[ 3]) * a[ 3];
    t[ 5] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = (((sp_uint128)a[ 0]) * a[ 7]
       +  ((sp_uint128)a[ 1]) * a[ 6]
       +  ((sp_uint128)a[ 2]) * a[ 5]
       +  ((sp_uint128)a[ 3]) * a[ 4]) * 2;
    t[ 6] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = (((sp_uint128)a[ 0]) * a[ 8]
       +  ((sp_uint128)a[ 1]) * a[ 7]
       +  ((sp_uint128)a[ 2]) * a[ 6]
       +  ((sp_uint128)a[ 3]) * a[ 5]) * 2
       +  ((sp_uint128)a[ 4]) * a[ 4];
    t[ 7] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = (((sp_uint128)a[ 1]) * a[ 8]
       +  ((sp_uint128)a[ 2]) * a[ 7]
       +  ((sp_uint128)a[ 3]) * a[ 6]
       +  ((sp_uint128)a[ 4]) * a[ 5]) * 2;
    t[ 8] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = (((sp_uint128)a[ 2]) * a[ 8]
       +  ((sp_uint128)a[ 3]) * a[ 7]
       +  ((sp_uint128)a[ 4]) * a[ 6]) * 2
       +  ((sp_uint128)a[ 5]) * a[ 5];
    r[ 9] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = (((sp_uint128)a[ 3]) * a[ 8]
       +  ((sp_uint128)a[ 4]) * a[ 7]
       +  ((sp_uint128)a[ 5]) * a[ 6]) * 2;
    r[10] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = (((sp_uint128)a[ 4]) * a[ 8]
       +  ((sp_uint128)a[ 5]) * a[ 7]) * 2
       +  ((sp_uint128)a[ 6]) * a[ 6];
    r[11] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = (((sp_uint128)a[ 5]) * a[ 8]
       +  ((sp_uint128)a[ 6]) * a[ 7]) * 2;
    r[12] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = (((sp_uint128)a[ 6]) * a[ 8]) * 2
       +  ((sp_uint128)a[ 7]) * a[ 7];
    r[13] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = (((sp_uint128)a[ 7]) * a[ 8]) * 2;
    r[14] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 =  ((sp_uint128)a[ 8]) * a[ 8];
    r[15] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    r[16] = t0 & 0x1ffffffffffffffL;
    r[17] = (sp_digit)(t0 >> 57);
    XMEMCPY(r, t, sizeof(t));
}

/* Square a into r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_3072_sqr_27(sp_digit* r, const sp_digit* a)
{
    sp_digit p0[18];
    sp_digit p1[18];
    sp_digit p2[18];
    sp_digit p3[18];
    sp_digit p4[18];
    sp_digit p5[18];
    sp_digit t0[18];
    sp_digit t1[18];
    sp_digit t2[18];
    sp_digit a0[9];
    sp_digit a1[9];
    sp_digit a2[9];
    (void)sp_3072_add_9(a0, a, &a[9]);
    (void)sp_3072_add_9(a1, &a[9], &a[18]);
    (void)sp_3072_add_9(a2, a0, &a[18]);
    sp_3072_sqr_9(p0, a);
    sp_3072_sqr_9(p2, &a[9]);
    sp_3072_sqr_9(p4, &a[18]);
    sp_3072_sqr_9(p1, a0);
    sp_3072_sqr_9(p3, a1);
    sp_3072_sqr_9(p5, a2);
    XMEMSET(r, 0, sizeof(*r)*2U*27U);
    (void)sp_3072_sub_18(t0, p3, p2);
    (void)sp_3072_sub_18(t1, p1, p2);
    (void)sp_3072_sub_18(t2, p5, t0);
    (void)sp_3072_sub_18(t2, t2, t1);
    (void)sp_3072_sub_18(t0, t0, p4);
    (void)sp_3072_sub_18(t1, t1, p0);
    (void)sp_3072_add_18(r, r, p0);
    (void)sp_3072_add_18(&r[9], &r[9], t1);
    (void)sp_3072_add_18(&r[18], &r[18], t2);
    (void)sp_3072_add_18(&r[27], &r[27], t0);
    (void)sp_3072_add_18(&r[36], &r[36], p4);
}

/* Square a and put result in r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_3072_sqr_54(sp_digit* r, const sp_digit* a)
{
    sp_digit* z0 = r;
    sp_digit z1[54];
    sp_digit* a1 = z1;
    sp_digit* z2 = r + 54;
    (void)sp_3072_add_27(a1, a, &a[27]);
    sp_3072_sqr_27(z2, &a[27]);
    sp_3072_sqr_27(z0, a);
    sp_3072_sqr_27(z1, a1);
    (void)sp_3072_sub_54(z1, z1, z2);
    (void)sp_3072_sub_54(z1, z1, z0);
    (void)sp_3072_add_54(r + 27, r + 27, z1);
}

#endif /* !WOLFSSL_SP_SMALL */
/* Calculate the bottom digit of -1/a mod 2^n.
 *
 * a    A single precision number.
 * rho  Bottom word of inverse.
 */
static void sp_3072_mont_setup(const sp_digit* a, sp_digit* rho)
{
    sp_digit x;
    sp_digit b;

    b = a[0];
    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**64 */
    x &= 0x1ffffffffffffffL;

    /* rho = -1/m mod b */
    *rho = ((sp_digit)1 << 57) - x;
}

/* Multiply a by scalar b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_3072_mul_d_54(sp_digit* r, const sp_digit* a,
    sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t = 0;
    sp_digit t2;
    sp_int128 p[4];
    int i;

    for (i = 0; i < 52; i += 4) {
        p[0] = tb * a[i + 0];
        p[1] = tb * a[i + 1];
        p[2] = tb * a[i + 2];
        p[3] = tb * a[i + 3];
        t += p[0];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 0] = (sp_digit)t2;
        t += p[1];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 1] = (sp_digit)t2;
        t += p[2];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 2] = (sp_digit)t2;
        t += p[3];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 3] = (sp_digit)t2;
    }
    t += tb * a[52];
    r[52] = (sp_digit)(t & 0x1ffffffffffffffL);
    t >>= 57;
    t += tb * a[53];
    r[53] = (sp_digit)(t & 0x1ffffffffffffffL);
    t >>= 57;
    r[54] = (sp_digit)(t & 0x1ffffffffffffffL);
}

#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(WOLFSSL_HAVE_SP_DH)
/* Sub b from a into r. (r = a - b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_3072_sub_27(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 24; i += 8) {
        r[i + 0] = a[i + 0] - b[i + 0];
        r[i + 1] = a[i + 1] - b[i + 1];
        r[i + 2] = a[i + 2] - b[i + 2];
        r[i + 3] = a[i + 3] - b[i + 3];
        r[i + 4] = a[i + 4] - b[i + 4];
        r[i + 5] = a[i + 5] - b[i + 5];
        r[i + 6] = a[i + 6] - b[i + 6];
        r[i + 7] = a[i + 7] - b[i + 7];
    }
    r[24] = a[24] - b[24];
    r[25] = a[25] - b[25];
    r[26] = a[26] - b[26];

    return 0;
}

/* r = 2^n mod m where n is the number of bits to reduce by.
 * Given m must be 3072 bits, just need to subtract.
 *
 * r  A single precision number.
 * m  A single precision number.
 */
static void sp_3072_mont_norm_27(sp_digit* r, const sp_digit* m)
{
    /* Set r = 2^n - 1. */
    int i;

    for (i = 0; i < 24; i += 8) {
        r[i + 0] = 0x1ffffffffffffffL;
        r[i + 1] = 0x1ffffffffffffffL;
        r[i + 2] = 0x1ffffffffffffffL;
        r[i + 3] = 0x1ffffffffffffffL;
        r[i + 4] = 0x1ffffffffffffffL;
        r[i + 5] = 0x1ffffffffffffffL;
        r[i + 6] = 0x1ffffffffffffffL;
        r[i + 7] = 0x1ffffffffffffffL;
    }
    r[24] = 0x1ffffffffffffffL;
    r[25] = 0x1ffffffffffffffL;
    r[26] = 0x3fffffffffffffL;

    /* r = (2^n - 1) mod n */
    (void)sp_3072_sub_27(r, r, m);

    /* Add one so r = 2^n mod m */
    r[0] += 1;
}

/* Compare a with b in constant time.
 *
 * a  A single precision integer.
 * b  A single precision integer.
 * return -ve, 0 or +ve if a is less than, equal to or greater than b
 * respectively.
 */
static sp_digit sp_3072_cmp_27(const sp_digit* a, const sp_digit* b)
{
    sp_digit r = 0;
    int i;

    r |= (a[26] - b[26]) & (0 - (sp_digit)1);
    r |= (a[25] - b[25]) & ~(((sp_digit)0 - r) >> 56);
    r |= (a[24] - b[24]) & ~(((sp_digit)0 - r) >> 56);
    for (i = 16; i >= 0; i -= 8) {
        r |= (a[i + 7] - b[i + 7]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 6] - b[i + 6]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 5] - b[i + 5]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 4] - b[i + 4]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 3] - b[i + 3]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 2] - b[i + 2]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 1] - b[i + 1]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 0] - b[i + 0]) & ~(((sp_digit)0 - r) >> 56);
    }

    return r;
}

/* Conditionally subtract b from a using the mask m.
 * m is -1 to subtract and 0 when not.
 *
 * r  A single precision number representing condition subtract result.
 * a  A single precision number to subtract from.
 * b  A single precision number to subtract.
 * m  Mask value to apply.
 */
static void sp_3072_cond_sub_27(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 24; i += 8) {
        r[i + 0] = a[i + 0] - (b[i + 0] & m);
        r[i + 1] = a[i + 1] - (b[i + 1] & m);
        r[i + 2] = a[i + 2] - (b[i + 2] & m);
        r[i + 3] = a[i + 3] - (b[i + 3] & m);
        r[i + 4] = a[i + 4] - (b[i + 4] & m);
        r[i + 5] = a[i + 5] - (b[i + 5] & m);
        r[i + 6] = a[i + 6] - (b[i + 6] & m);
        r[i + 7] = a[i + 7] - (b[i + 7] & m);
    }
    r[24] = a[24] - (b[24] & m);
    r[25] = a[25] - (b[25] & m);
    r[26] = a[26] - (b[26] & m);
}

/* Mul a by scalar b and add into r. (r += a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_3072_mul_add_27(sp_digit* r, const sp_digit* a,
        const sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t[8];
    int i;

    t[0] = tb * a[0]; r[0] += (sp_digit)(t[0] & 0x1ffffffffffffffL);
    for (i = 0; i < 24; i += 8) {
        t[1] = tb * a[i+1];
        r[i+1] += (sp_digit)((t[0] >> 57) + (t[1] & 0x1ffffffffffffffL));
        t[2] = tb * a[i+2];
        r[i+2] += (sp_digit)((t[1] >> 57) + (t[2] & 0x1ffffffffffffffL));
        t[3] = tb * a[i+3];
        r[i+3] += (sp_digit)((t[2] >> 57) + (t[3] & 0x1ffffffffffffffL));
        t[4] = tb * a[i+4];
        r[i+4] += (sp_digit)((t[3] >> 57) + (t[4] & 0x1ffffffffffffffL));
        t[5] = tb * a[i+5];
        r[i+5] += (sp_digit)((t[4] >> 57) + (t[5] & 0x1ffffffffffffffL));
        t[6] = tb * a[i+6];
        r[i+6] += (sp_digit)((t[5] >> 57) + (t[6] & 0x1ffffffffffffffL));
        t[7] = tb * a[i+7];
        r[i+7] += (sp_digit)((t[6] >> 57) + (t[7] & 0x1ffffffffffffffL));
        t[0] = tb * a[i+8];
        r[i+8] += (sp_digit)((t[7] >> 57) + (t[0] & 0x1ffffffffffffffL));
    }
    t[1] = tb * a[25];
    r[25] += (sp_digit)((t[0] >> 57) + (t[1] & 0x1ffffffffffffffL));
    t[2] = tb * a[26];
    r[26] += (sp_digit)((t[1] >> 57) + (t[2] & 0x1ffffffffffffffL));
    r[27] +=  (sp_digit)(t[2] >> 57);
}

/* Shift the result in the high 1536 bits down to the bottom.
 *
 * r  A single precision number.
 * a  A single precision number.
 */
static void sp_3072_mont_shift_27(sp_digit* r, const sp_digit* a)
{
    sp_digit n;
    sp_digit s;
    int i;

    s = a[27]; n = a[26] >> 54;
    for (i = 0; i < 24; i += 8) {
        n += (s & 0x1ffffffffffffffL) << 3; r[i+0] = n & 0x1ffffffffffffffL;
        n >>= 57; s = a[i+28] + (s >> 57);
        n += (s & 0x1ffffffffffffffL) << 3; r[i+1] = n & 0x1ffffffffffffffL;
        n >>= 57; s = a[i+29] + (s >> 57);
        n += (s & 0x1ffffffffffffffL) << 3; r[i+2] = n & 0x1ffffffffffffffL;
        n >>= 57; s = a[i+30] + (s >> 57);
        n += (s & 0x1ffffffffffffffL) << 3; r[i+3] = n & 0x1ffffffffffffffL;
        n >>= 57; s = a[i+31] + (s >> 57);
        n += (s & 0x1ffffffffffffffL) << 3; r[i+4] = n & 0x1ffffffffffffffL;
        n >>= 57; s = a[i+32] + (s >> 57);
        n += (s & 0x1ffffffffffffffL) << 3; r[i+5] = n & 0x1ffffffffffffffL;
        n >>= 57; s = a[i+33] + (s >> 57);
        n += (s & 0x1ffffffffffffffL) << 3; r[i+6] = n & 0x1ffffffffffffffL;
        n >>= 57; s = a[i+34] + (s >> 57);
        n += (s & 0x1ffffffffffffffL) << 3; r[i+7] = n & 0x1ffffffffffffffL;
        n >>= 57; s = a[i+35] + (s >> 57);
    }
    n += (s & 0x1ffffffffffffffL) << 3; r[24] = n & 0x1ffffffffffffffL;
    n >>= 57; s = a[52] + (s >> 57);
    n += (s & 0x1ffffffffffffffL) << 3; r[25] = n & 0x1ffffffffffffffL;
    n >>= 57; s = a[53] + (s >> 57);
    n += s << 3;              r[26] = n;
    XMEMSET(&r[27], 0, sizeof(*r) * 27U);
}

/* Reduce the number back to 3072 bits using Montgomery reduction.
 *
 * a   A single precision number to reduce in place.
 * m   The single precision number representing the modulus.
 * mp  The digit representing the negative inverse of m mod 2^n.
 */
static void sp_3072_mont_reduce_27(sp_digit* a, const sp_digit* m, sp_digit mp)
{
    int i;
    sp_digit mu;
    sp_digit over;

    sp_3072_norm_27(a + 27);

    for (i=0; i<26; i++) {
        mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x1ffffffffffffffL;
        sp_3072_mul_add_27(a+i, m, mu);
        a[i+1] += a[i] >> 57;
    }
    mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x3fffffffffffffL;
    sp_3072_mul_add_27(a+i, m, mu);
    a[i+1] += a[i] >> 57;
    a[i] &= 0x1ffffffffffffffL;
    sp_3072_mont_shift_27(a, a);
    over = a[26] - m[26];
    sp_3072_cond_sub_27(a, a, m, ~((over - 1) >> 63));
    sp_3072_norm_27(a);
}

/* Multiply two Montgomery form numbers mod the modulus (prime).
 * (r = a * b mod m)
 *
 * r   Result of multiplication.
 * a   First number to multiply in Montgomery form.
 * b   Second number to multiply in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_3072_mont_mul_27(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit* m, sp_digit mp)
{
    sp_3072_mul_27(r, a, b);
    sp_3072_mont_reduce_27(r, m, mp);
}

/* Square the Montgomery form number. (r = a * a mod m)
 *
 * r   Result of squaring.
 * a   Number to square in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_3072_mont_sqr_27(sp_digit* r, const sp_digit* a,
        const sp_digit* m, sp_digit mp)
{
    sp_3072_sqr_27(r, a);
    sp_3072_mont_reduce_27(r, m, mp);
}

/* Multiply a by scalar b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_3072_mul_d_27(sp_digit* r, const sp_digit* a,
    sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t = 0;
    sp_digit t2;
    sp_int128 p[4];
    int i;

    for (i = 0; i < 24; i += 4) {
        p[0] = tb * a[i + 0];
        p[1] = tb * a[i + 1];
        p[2] = tb * a[i + 2];
        p[3] = tb * a[i + 3];
        t += p[0];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 0] = (sp_digit)t2;
        t += p[1];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 1] = (sp_digit)t2;
        t += p[2];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 2] = (sp_digit)t2;
        t += p[3];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 3] = (sp_digit)t2;
    }
    t += tb * a[24];
    r[24] = (sp_digit)(t & 0x1ffffffffffffffL);
    t >>= 57;
    t += tb * a[25];
    r[25] = (sp_digit)(t & 0x1ffffffffffffffL);
    t >>= 57;
    t += tb * a[26];
    r[26] = (sp_digit)(t & 0x1ffffffffffffffL);
    t >>= 57;
    r[27] = (sp_digit)(t & 0x1ffffffffffffffL);
}

#ifndef WOLFSSL_SP_SMALL
/* Conditionally add a and b using the mask m.
 * m is -1 to add and 0 when not.
 *
 * r  A single precision number representing conditional add result.
 * a  A single precision number to add with.
 * b  A single precision number to add.
 * m  Mask value to apply.
 */
static void sp_3072_cond_add_27(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 24; i += 8) {
        r[i + 0] = a[i + 0] + (b[i + 0] & m);
        r[i + 1] = a[i + 1] + (b[i + 1] & m);
        r[i + 2] = a[i + 2] + (b[i + 2] & m);
        r[i + 3] = a[i + 3] + (b[i + 3] & m);
        r[i + 4] = a[i + 4] + (b[i + 4] & m);
        r[i + 5] = a[i + 5] + (b[i + 5] & m);
        r[i + 6] = a[i + 6] + (b[i + 6] & m);
        r[i + 7] = a[i + 7] + (b[i + 7] & m);
    }
    r[24] = a[24] + (b[24] & m);
    r[25] = a[25] + (b[25] & m);
    r[26] = a[26] + (b[26] & m);
}
#endif /* !WOLFSSL_SP_SMALL */

SP_NOINLINE static void sp_3072_rshift_27(sp_digit* r, const sp_digit* a,
        byte n)
{
    int i;

    for (i=0; i<24; i += 8) {
        r[i+0] = (a[i+0] >> n) | ((a[i+1] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+1] = (a[i+1] >> n) | ((a[i+2] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+2] = (a[i+2] >> n) | ((a[i+3] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+3] = (a[i+3] >> n) | ((a[i+4] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+4] = (a[i+4] >> n) | ((a[i+5] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+5] = (a[i+5] >> n) | ((a[i+6] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+6] = (a[i+6] >> n) | ((a[i+7] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+7] = (a[i+7] >> n) | ((a[i+8] << (57 - n)) & 0x1ffffffffffffffL);
    }
    r[24] = (a[24] >> n) | ((a[25] << (57 - n)) & 0x1ffffffffffffffL);
    r[25] = (a[25] >> n) | ((a[26] << (57 - n)) & 0x1ffffffffffffffL);
    r[26] = a[26] >> n;
}

static WC_INLINE sp_digit sp_3072_div_word_27(sp_digit d1, sp_digit d0,
    sp_digit div)
{
#ifdef SP_USE_DIVTI3
    sp_int128 d = ((sp_int128)d1 << 57) + d0;

    return d / div;
#elif defined(__x86_64__) || defined(__i386__)
    sp_int128 d = ((sp_int128)d1 << 57) + d0;
    sp_uint64 lo = (sp_uint64)d;
    sp_digit hi = (sp_digit)(d >> 64);

    __asm__ __volatile__ (
        "idiv %2"
        : "+a" (lo)
        : "d" (hi), "r" (div)
        : "cc"
    );

    return (sp_digit)lo;
#elif !defined(__aarch64__) &&  !defined(SP_DIV_WORD_USE_DIV)
    sp_int128 d = ((sp_int128)d1 << 57) + d0;
    sp_digit dv = (div >> 1) + 1;
    sp_digit t1 = (sp_digit)(d >> 57);
    sp_digit t0 = (sp_digit)(d & 0x1ffffffffffffffL);
    sp_digit t2;
    sp_digit sign;
    sp_digit r;
    int i;
    sp_int128 m;

    r = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
    t1 -= dv & (0 - r);
    for (i = 55; i >= 1; i--) {
        t1 += t1 + (((sp_uint64)t0 >> 56) & 1);
        t0 <<= 1;
        t2 = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
        r += r + t2;
        t1 -= dv & (0 - t2);
        t1 += t2;
    }
    r += r + 1;

    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 57);
    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 114) - (sp_digit)(d >> 114);

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;
   return r;
#else
    sp_int128 d = ((sp_int128)d1 << 57) + d0;
    sp_digit r = 0;
    sp_digit t;
    sp_digit dv = (div >> 26) + 1;

    t = (sp_digit)(d >> 52);
    t = (t / dv) << 26;
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)(d >> 21);
    t = t / (dv << 5);
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)d;
    t = t / div;
    r += t;
    d -= (sp_int128)t * div;
    return r;
#endif
}
static WC_INLINE sp_digit sp_3072_word_div_word_27(sp_digit d, sp_digit div)
{
#if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__) || \
    defined(SP_DIV_WORD_USE_DIV)
    return d / div;
#else
    return (sp_digit)((sp_uint64)(div - d) >> 63);
#endif
}
/* Divide d in a and put remainder into r (m*d + r = a)
 * m is not calculated as it is not needed at this time.
 *
 * Full implementation.
 *
 * a  Number to be divided.
 * d  Number to divide with.
 * m  Multiplier result.
 * r  Remainder from the division.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_3072_div_27(const sp_digit* a, const sp_digit* d,
        const sp_digit* m, sp_digit* r)
{
    int i;
#ifndef WOLFSSL_SP_DIV_64
#endif
    sp_digit dv;
    sp_digit r1;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* t1 = NULL;
#else
    sp_digit t1[4 * 27 + 3];
#endif
    sp_digit* t2 = NULL;
    sp_digit* sd = NULL;
    int err = MP_OKAY;

    (void)m;

#ifdef WOLFSSL_SP_SMALL_STACK
    t1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * (4 * 27 + 3), NULL,
                                                       DYNAMIC_TYPE_TMP_BUFFER);
    if (t1 == NULL)
        err = MEMORY_E;
#endif

    (void)m;

    if (err == MP_OKAY) {
        t2 = t1 + 54 + 1;
        sd = t2 + 27 + 1;

        sp_3072_mul_d_27(sd, d, (sp_digit)1 << 3);
        sp_3072_mul_d_54(t1, a, (sp_digit)1 << 3);
        dv = sd[26];
        t1[27 + 27] += t1[27 + 27 - 1] >> 57;
        t1[27 + 27 - 1] &= 0x1ffffffffffffffL;
        for (i=27; i>=0; i--) {
            r1 = sp_3072_div_word_27(t1[27 + i], t1[27 + i - 1], dv);

            sp_3072_mul_d_27(t2, sd, r1);
            (void)sp_3072_sub_27(&t1[i], &t1[i], t2);
            sp_3072_norm_27(&t1[i]);
            t1[27 + i] -= t2[27];
            t1[27 + i] += t1[27 + i - 1] >> 57;
            t1[27 + i - 1] &= 0x1ffffffffffffffL;
            r1 = sp_3072_div_word_27(-t1[27 + i], -t1[27 + i - 1], dv);
            r1 -= t1[27 + i];
            sp_3072_mul_d_27(t2, sd, r1);
            (void)sp_3072_add_27(&t1[i], &t1[i], t2);
            t1[27 + i] += t1[27 + i - 1] >> 57;
            t1[27 + i - 1] &= 0x1ffffffffffffffL;
        }
        t1[27 - 1] += t1[27 - 2] >> 57;
        t1[27 - 2] &= 0x1ffffffffffffffL;
        r1 = sp_3072_word_div_word_27(t1[27 - 1], dv);

        sp_3072_mul_d_27(t2, sd, r1);
        sp_3072_sub_27(t1, t1, t2);
        XMEMCPY(r, t1, sizeof(*r) * 54U);
        for (i=0; i<26; i++) {
            r[i+1] += r[i] >> 57;
            r[i] &= 0x1ffffffffffffffL;
        }
        sp_3072_cond_add_27(r, r, sd, r[26] >> 63);

        sp_3072_norm_27(r);
        sp_3072_rshift_27(r, r, 3);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t1 != NULL)
        XFREE(t1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
}

/* Reduce a modulo m into r. (r = a mod m)
 *
 * r  A single precision number that is the reduced result.
 * a  A single precision number that is to be reduced.
 * m  A single precision number that is the modulus to reduce with.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_3072_mod_27(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    return sp_3072_div_27(a, m, NULL, r);
}

/* Modular exponentiate a to the e mod m. (r = a^e mod m)
 *
 * r     A single precision number that is the result of the operation.
 * a     A single precision number being exponentiated.
 * e     A single precision number that is the exponent.
 * bits  The number of bits in the exponent.
 * m     A single precision number that is the modulus.
 * returns  0 on success.
 * returns  MEMORY_E on dynamic memory allocation failure.
 * returns  MP_VAL when base is even or exponent is 0.
 */
static int sp_3072_mod_exp_27(sp_digit* r, const sp_digit* a, const sp_digit* e,
    int bits, const sp_digit* m, int reduceA)
{
#if defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_FAST_MODEXP)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 54];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 27 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 27 * 2);
            XMEMSET(t[i], 0, sizeof(sp_digit) * 27U * 2U);
        }

        sp_3072_mont_setup(m, &mp);
        sp_3072_mont_norm_27(norm, m);

        if (reduceA != 0) {
            err = sp_3072_mod_27(t[1], a, m);
        }
        else {
            XMEMCPY(t[1], a, sizeof(sp_digit) * 27U);
        }
    }
    if (err == MP_OKAY) {
        sp_3072_mul_27(t[1], t[1], norm);
        err = sp_3072_mod_27(t[1], t[1], m);
    }

    if (err == MP_OKAY) {
        i = bits / 57;
        c = bits % 57;
        n = e[i--] << (57 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 57;
            }

            y = (int)((n >> 56) & 1);
            n <<= 1;

            sp_3072_mont_mul_27(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 27 * 2);
            sp_3072_mont_sqr_27(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 27 * 2);
        }

        sp_3072_mont_reduce_27(t[0], m, mp);
        n = sp_3072_cmp_27(t[0], m);
        sp_3072_cond_sub_27(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 27 * 2);

    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#elif !defined(WC_NO_CACHE_RESISTANT)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 54];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 27 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 27 * 2);
        }

        sp_3072_mont_setup(m, &mp);
        sp_3072_mont_norm_27(norm, m);

        if (reduceA != 0) {
            err = sp_3072_mod_27(t[1], a, m);
            if (err == MP_OKAY) {
                sp_3072_mul_27(t[1], t[1], norm);
                err = sp_3072_mod_27(t[1], t[1], m);
            }
        }
        else {
            sp_3072_mul_27(t[1], a, norm);
            err = sp_3072_mod_27(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        i = bits / 57;
        c = bits % 57;
        n = e[i--] << (57 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 57;
            }

            y = (int)((n >> 56) & 1);
            n <<= 1;

            sp_3072_mont_mul_27(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 27 * 2);
            sp_3072_mont_sqr_27(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 27 * 2);
        }

        sp_3072_mont_reduce_27(t[0], m, mp);
        n = sp_3072_cmp_27(t[0], m);
        sp_3072_cond_sub_27(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 27 * 2);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[(32 * 54) + 54];
#endif
    sp_digit* t[32];
    sp_digit* rt = NULL;
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * ((32 * 54) + 54), NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<32; i++)
            t[i] = td + i * 54;
        rt = td + 1728;

        sp_3072_mont_setup(m, &mp);
        sp_3072_mont_norm_27(norm, m);

        if (reduceA != 0) {
            err = sp_3072_mod_27(t[1], a, m);
            if (err == MP_OKAY) {
                sp_3072_mul_27(t[1], t[1], norm);
                err = sp_3072_mod_27(t[1], t[1], m);
            }
        }
        else {
            sp_3072_mul_27(t[1], a, norm);
            err = sp_3072_mod_27(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        sp_3072_mont_sqr_27(t[ 2], t[ 1], m, mp);
        sp_3072_mont_mul_27(t[ 3], t[ 2], t[ 1], m, mp);
        sp_3072_mont_sqr_27(t[ 4], t[ 2], m, mp);
        sp_3072_mont_mul_27(t[ 5], t[ 3], t[ 2], m, mp);
        sp_3072_mont_sqr_27(t[ 6], t[ 3], m, mp);
        sp_3072_mont_mul_27(t[ 7], t[ 4], t[ 3], m, mp);
        sp_3072_mont_sqr_27(t[ 8], t[ 4], m, mp);
        sp_3072_mont_mul_27(t[ 9], t[ 5], t[ 4], m, mp);
        sp_3072_mont_sqr_27(t[10], t[ 5], m, mp);
        sp_3072_mont_mul_27(t[11], t[ 6], t[ 5], m, mp);
        sp_3072_mont_sqr_27(t[12], t[ 6], m, mp);
        sp_3072_mont_mul_27(t[13], t[ 7], t[ 6], m, mp);
        sp_3072_mont_sqr_27(t[14], t[ 7], m, mp);
        sp_3072_mont_mul_27(t[15], t[ 8], t[ 7], m, mp);
        sp_3072_mont_sqr_27(t[16], t[ 8], m, mp);
        sp_3072_mont_mul_27(t[17], t[ 9], t[ 8], m, mp);
        sp_3072_mont_sqr_27(t[18], t[ 9], m, mp);
        sp_3072_mont_mul_27(t[19], t[10], t[ 9], m, mp);
        sp_3072_mont_sqr_27(t[20], t[10], m, mp);
        sp_3072_mont_mul_27(t[21], t[11], t[10], m, mp);
        sp_3072_mont_sqr_27(t[22], t[11], m, mp);
        sp_3072_mont_mul_27(t[23], t[12], t[11], m, mp);
        sp_3072_mont_sqr_27(t[24], t[12], m, mp);
        sp_3072_mont_mul_27(t[25], t[13], t[12], m, mp);
        sp_3072_mont_sqr_27(t[26], t[13], m, mp);
        sp_3072_mont_mul_27(t[27], t[14], t[13], m, mp);
        sp_3072_mont_sqr_27(t[28], t[14], m, mp);
        sp_3072_mont_mul_27(t[29], t[15], t[14], m, mp);
        sp_3072_mont_sqr_27(t[30], t[15], m, mp);
        sp_3072_mont_mul_27(t[31], t[16], t[15], m, mp);

        bits = ((bits + 4) / 5) * 5;
        i = ((bits + 56) / 57) - 1;
        c = bits % 57;
        if (c == 0) {
            c = 57;
        }
        if (i < 27) {
            n = e[i--] << (64 - c);
        }
        else {
            n = 0;
            i--;
        }
        if (c < 5) {
            n |= e[i--] << (7 - c);
            c += 57;
        }
        y = (int)((n >> 59) & 0x1f);
        n <<= 5;
        c -= 5;
        XMEMCPY(rt, t[y], sizeof(sp_digit) * 54);
        while ((i >= 0) || (c >= 5)) {
            if (c >= 5) {
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c -= 5;
            }
            else if (c == 0) {
                n = e[i--] << 7;
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c = 52;
            }
            else {
                y = (byte)((n >> 59) & 0x1f);
                n = e[i--] << 7;
                c = 5 - c;
                y |= (byte)((n >> (64 - c)) & ((1 << c) - 1));
                n <<= c;
                c = 57 - c;
            }

            sp_3072_mont_sqr_27(rt, rt, m, mp);
            sp_3072_mont_sqr_27(rt, rt, m, mp);
            sp_3072_mont_sqr_27(rt, rt, m, mp);
            sp_3072_mont_sqr_27(rt, rt, m, mp);
            sp_3072_mont_sqr_27(rt, rt, m, mp);

            sp_3072_mont_mul_27(rt, rt, t[y], m, mp);
        }

        sp_3072_mont_reduce_27(rt, m, mp);
        n = sp_3072_cmp_27(rt, m);
        sp_3072_cond_sub_27(rt, rt, m, ~(n >> 63));
        XMEMCPY(r, rt, sizeof(sp_digit) * 54);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#endif
}

#endif /* (WOLFSSL_HAVE_SP_RSA & !WOLFSSL_RSA_PUBLIC_ONLY) | WOLFSSL_HAVE_SP_DH */

/* r = 2^n mod m where n is the number of bits to reduce by.
 * Given m must be 3072 bits, just need to subtract.
 *
 * r  A single precision number.
 * m  A single precision number.
 */
static void sp_3072_mont_norm_54(sp_digit* r, const sp_digit* m)
{
    /* Set r = 2^n - 1. */
    int i;

    for (i = 0; i < 48; i += 8) {
        r[i + 0] = 0x1ffffffffffffffL;
        r[i + 1] = 0x1ffffffffffffffL;
        r[i + 2] = 0x1ffffffffffffffL;
        r[i + 3] = 0x1ffffffffffffffL;
        r[i + 4] = 0x1ffffffffffffffL;
        r[i + 5] = 0x1ffffffffffffffL;
        r[i + 6] = 0x1ffffffffffffffL;
        r[i + 7] = 0x1ffffffffffffffL;
    }
    r[48] = 0x1ffffffffffffffL;
    r[49] = 0x1ffffffffffffffL;
    r[50] = 0x1ffffffffffffffL;
    r[51] = 0x1ffffffffffffffL;
    r[52] = 0x1ffffffffffffffL;
    r[53] = 0x7ffffffffffffL;

    /* r = (2^n - 1) mod n */
    (void)sp_3072_sub_54(r, r, m);

    /* Add one so r = 2^n mod m */
    r[0] += 1;
}

/* Compare a with b in constant time.
 *
 * a  A single precision integer.
 * b  A single precision integer.
 * return -ve, 0 or +ve if a is less than, equal to or greater than b
 * respectively.
 */
static sp_digit sp_3072_cmp_54(const sp_digit* a, const sp_digit* b)
{
    sp_digit r = 0;
    int i;

    r |= (a[53] - b[53]) & (0 - (sp_digit)1);
    r |= (a[52] - b[52]) & ~(((sp_digit)0 - r) >> 56);
    r |= (a[51] - b[51]) & ~(((sp_digit)0 - r) >> 56);
    r |= (a[50] - b[50]) & ~(((sp_digit)0 - r) >> 56);
    r |= (a[49] - b[49]) & ~(((sp_digit)0 - r) >> 56);
    r |= (a[48] - b[48]) & ~(((sp_digit)0 - r) >> 56);
    for (i = 40; i >= 0; i -= 8) {
        r |= (a[i + 7] - b[i + 7]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 6] - b[i + 6]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 5] - b[i + 5]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 4] - b[i + 4]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 3] - b[i + 3]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 2] - b[i + 2]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 1] - b[i + 1]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 0] - b[i + 0]) & ~(((sp_digit)0 - r) >> 56);
    }

    return r;
}

/* Conditionally subtract b from a using the mask m.
 * m is -1 to subtract and 0 when not.
 *
 * r  A single precision number representing condition subtract result.
 * a  A single precision number to subtract from.
 * b  A single precision number to subtract.
 * m  Mask value to apply.
 */
static void sp_3072_cond_sub_54(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 48; i += 8) {
        r[i + 0] = a[i + 0] - (b[i + 0] & m);
        r[i + 1] = a[i + 1] - (b[i + 1] & m);
        r[i + 2] = a[i + 2] - (b[i + 2] & m);
        r[i + 3] = a[i + 3] - (b[i + 3] & m);
        r[i + 4] = a[i + 4] - (b[i + 4] & m);
        r[i + 5] = a[i + 5] - (b[i + 5] & m);
        r[i + 6] = a[i + 6] - (b[i + 6] & m);
        r[i + 7] = a[i + 7] - (b[i + 7] & m);
    }
    r[48] = a[48] - (b[48] & m);
    r[49] = a[49] - (b[49] & m);
    r[50] = a[50] - (b[50] & m);
    r[51] = a[51] - (b[51] & m);
    r[52] = a[52] - (b[52] & m);
    r[53] = a[53] - (b[53] & m);
}

/* Mul a by scalar b and add into r. (r += a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_3072_mul_add_54(sp_digit* r, const sp_digit* a,
        const sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t[8];
    int i;

    t[0] = tb * a[0]; r[0] += (sp_digit)(t[0] & 0x1ffffffffffffffL);
    for (i = 0; i < 48; i += 8) {
        t[1] = tb * a[i+1];
        r[i+1] += (sp_digit)((t[0] >> 57) + (t[1] & 0x1ffffffffffffffL));
        t[2] = tb * a[i+2];
        r[i+2] += (sp_digit)((t[1] >> 57) + (t[2] & 0x1ffffffffffffffL));
        t[3] = tb * a[i+3];
        r[i+3] += (sp_digit)((t[2] >> 57) + (t[3] & 0x1ffffffffffffffL));
        t[4] = tb * a[i+4];
        r[i+4] += (sp_digit)((t[3] >> 57) + (t[4] & 0x1ffffffffffffffL));
        t[5] = tb * a[i+5];
        r[i+5] += (sp_digit)((t[4] >> 57) + (t[5] & 0x1ffffffffffffffL));
        t[6] = tb * a[i+6];
        r[i+6] += (sp_digit)((t[5] >> 57) + (t[6] & 0x1ffffffffffffffL));
        t[7] = tb * a[i+7];
        r[i+7] += (sp_digit)((t[6] >> 57) + (t[7] & 0x1ffffffffffffffL));
        t[0] = tb * a[i+8];
        r[i+8] += (sp_digit)((t[7] >> 57) + (t[0] & 0x1ffffffffffffffL));
    }
    t[1] = tb * a[49];
    r[49] += (sp_digit)((t[0] >> 57) + (t[1] & 0x1ffffffffffffffL));
    t[2] = tb * a[50];
    r[50] += (sp_digit)((t[1] >> 57) + (t[2] & 0x1ffffffffffffffL));
    t[3] = tb * a[51];
    r[51] += (sp_digit)((t[2] >> 57) + (t[3] & 0x1ffffffffffffffL));
    t[4] = tb * a[52];
    r[52] += (sp_digit)((t[3] >> 57) + (t[4] & 0x1ffffffffffffffL));
    t[5] = tb * a[53];
    r[53] += (sp_digit)((t[4] >> 57) + (t[5] & 0x1ffffffffffffffL));
    r[54] +=  (sp_digit)(t[5] >> 57);
}

/* Shift the result in the high 3072 bits down to the bottom.
 *
 * r  A single precision number.
 * a  A single precision number.
 */
static void sp_3072_mont_shift_54(sp_digit* r, const sp_digit* a)
{
    int i;
    sp_int128 n = a[53] >> 51;
    n += ((sp_int128)a[54]) << 6;
    for (i = 0; i < 48; i += 8) {
        r[i + 0] = n & 0x1ffffffffffffffL;
        n >>= 57; n += ((sp_int128)a[i + 55]) << 6;
        r[i + 1] = n & 0x1ffffffffffffffL;
        n >>= 57; n += ((sp_int128)a[i + 56]) << 6;
        r[i + 2] = n & 0x1ffffffffffffffL;
        n >>= 57; n += ((sp_int128)a[i + 57]) << 6;
        r[i + 3] = n & 0x1ffffffffffffffL;
        n >>= 57; n += ((sp_int128)a[i + 58]) << 6;
        r[i + 4] = n & 0x1ffffffffffffffL;
        n >>= 57; n += ((sp_int128)a[i + 59]) << 6;
        r[i + 5] = n & 0x1ffffffffffffffL;
        n >>= 57; n += ((sp_int128)a[i + 60]) << 6;
        r[i + 6] = n & 0x1ffffffffffffffL;
        n >>= 57; n += ((sp_int128)a[i + 61]) << 6;
        r[i + 7] = n & 0x1ffffffffffffffL;
        n >>= 57; n += ((sp_int128)a[i + 62]) << 6;
    }
    r[48] = n & 0x1ffffffffffffffL; n >>= 57; n += ((sp_int128)a[103]) << 6;
    r[49] = n & 0x1ffffffffffffffL; n >>= 57; n += ((sp_int128)a[104]) << 6;
    r[50] = n & 0x1ffffffffffffffL; n >>= 57; n += ((sp_int128)a[105]) << 6;
    r[51] = n & 0x1ffffffffffffffL; n >>= 57; n += ((sp_int128)a[106]) << 6;
    r[52] = n & 0x1ffffffffffffffL; n >>= 57; n += ((sp_int128)a[107]) << 6;
    r[53] = (sp_digit)n;
    XMEMSET(&r[54], 0, sizeof(*r) * 54U);
}

/* Reduce the number back to 3072 bits using Montgomery reduction.
 *
 * a   A single precision number to reduce in place.
 * m   The single precision number representing the modulus.
 * mp  The digit representing the negative inverse of m mod 2^n.
 */
static void sp_3072_mont_reduce_54(sp_digit* a, const sp_digit* m, sp_digit mp)
{
    int i;
    sp_digit mu;
    sp_digit over;

    sp_3072_norm_54(a + 54);

#ifdef WOLFSSL_SP_DH
    if (mp != 1) {
        for (i=0; i<53; i++) {
            mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x1ffffffffffffffL;
            sp_3072_mul_add_54(a+i, m, mu);
            a[i+1] += a[i] >> 57;
        }
        mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x7ffffffffffffL;
        sp_3072_mul_add_54(a+i, m, mu);
        a[i+1] += a[i] >> 57;
        a[i] &= 0x1ffffffffffffffL;
    }
    else {
        for (i=0; i<53; i++) {
            mu = a[i] & 0x1ffffffffffffffL;
            sp_3072_mul_add_54(a+i, m, mu);
            a[i+1] += a[i] >> 57;
        }
        mu = a[i] & 0x7ffffffffffffL;
        sp_3072_mul_add_54(a+i, m, mu);
        a[i+1] += a[i] >> 57;
        a[i] &= 0x1ffffffffffffffL;
    }
#else
    for (i=0; i<53; i++) {
        mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x1ffffffffffffffL;
        sp_3072_mul_add_54(a+i, m, mu);
        a[i+1] += a[i] >> 57;
    }
    mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x7ffffffffffffL;
    sp_3072_mul_add_54(a+i, m, mu);
    a[i+1] += a[i] >> 57;
    a[i] &= 0x1ffffffffffffffL;
#endif
    sp_3072_mont_shift_54(a, a);
    over = a[53] - m[53];
    sp_3072_cond_sub_54(a, a, m, ~((over - 1) >> 63));
    sp_3072_norm_54(a);
}

/* Multiply two Montgomery form numbers mod the modulus (prime).
 * (r = a * b mod m)
 *
 * r   Result of multiplication.
 * a   First number to multiply in Montgomery form.
 * b   Second number to multiply in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_3072_mont_mul_54(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit* m, sp_digit mp)
{
    sp_3072_mul_54(r, a, b);
    sp_3072_mont_reduce_54(r, m, mp);
}

/* Square the Montgomery form number. (r = a * a mod m)
 *
 * r   Result of squaring.
 * a   Number to square in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_3072_mont_sqr_54(sp_digit* r, const sp_digit* a,
        const sp_digit* m, sp_digit mp)
{
    sp_3072_sqr_54(r, a);
    sp_3072_mont_reduce_54(r, m, mp);
}

/* Multiply a by scalar b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_3072_mul_d_108(sp_digit* r, const sp_digit* a,
    sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t = 0;
    sp_digit t2;
    sp_int128 p[4];
    int i;

    for (i = 0; i < 108; i += 4) {
        p[0] = tb * a[i + 0];
        p[1] = tb * a[i + 1];
        p[2] = tb * a[i + 2];
        p[3] = tb * a[i + 3];
        t += p[0];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 0] = (sp_digit)t2;
        t += p[1];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 1] = (sp_digit)t2;
        t += p[2];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 2] = (sp_digit)t2;
        t += p[3];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 3] = (sp_digit)t2;
    }
    r[108] = (sp_digit)(t & 0x1ffffffffffffffL);
}

#ifndef WOLFSSL_SP_SMALL
/* Conditionally add a and b using the mask m.
 * m is -1 to add and 0 when not.
 *
 * r  A single precision number representing conditional add result.
 * a  A single precision number to add with.
 * b  A single precision number to add.
 * m  Mask value to apply.
 */
static void sp_3072_cond_add_54(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 48; i += 8) {
        r[i + 0] = a[i + 0] + (b[i + 0] & m);
        r[i + 1] = a[i + 1] + (b[i + 1] & m);
        r[i + 2] = a[i + 2] + (b[i + 2] & m);
        r[i + 3] = a[i + 3] + (b[i + 3] & m);
        r[i + 4] = a[i + 4] + (b[i + 4] & m);
        r[i + 5] = a[i + 5] + (b[i + 5] & m);
        r[i + 6] = a[i + 6] + (b[i + 6] & m);
        r[i + 7] = a[i + 7] + (b[i + 7] & m);
    }
    r[48] = a[48] + (b[48] & m);
    r[49] = a[49] + (b[49] & m);
    r[50] = a[50] + (b[50] & m);
    r[51] = a[51] + (b[51] & m);
    r[52] = a[52] + (b[52] & m);
    r[53] = a[53] + (b[53] & m);
}
#endif /* !WOLFSSL_SP_SMALL */

SP_NOINLINE static void sp_3072_rshift_54(sp_digit* r, const sp_digit* a,
        byte n)
{
    int i;

    for (i=0; i<48; i += 8) {
        r[i+0] = (a[i+0] >> n) | ((a[i+1] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+1] = (a[i+1] >> n) | ((a[i+2] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+2] = (a[i+2] >> n) | ((a[i+3] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+3] = (a[i+3] >> n) | ((a[i+4] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+4] = (a[i+4] >> n) | ((a[i+5] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+5] = (a[i+5] >> n) | ((a[i+6] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+6] = (a[i+6] >> n) | ((a[i+7] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+7] = (a[i+7] >> n) | ((a[i+8] << (57 - n)) & 0x1ffffffffffffffL);
    }
    r[48] = (a[48] >> n) | ((a[49] << (57 - n)) & 0x1ffffffffffffffL);
    r[49] = (a[49] >> n) | ((a[50] << (57 - n)) & 0x1ffffffffffffffL);
    r[50] = (a[50] >> n) | ((a[51] << (57 - n)) & 0x1ffffffffffffffL);
    r[51] = (a[51] >> n) | ((a[52] << (57 - n)) & 0x1ffffffffffffffL);
    r[52] = (a[52] >> n) | ((a[53] << (57 - n)) & 0x1ffffffffffffffL);
    r[53] = a[53] >> n;
}

static WC_INLINE sp_digit sp_3072_div_word_54(sp_digit d1, sp_digit d0,
    sp_digit div)
{
#ifdef SP_USE_DIVTI3
    sp_int128 d = ((sp_int128)d1 << 57) + d0;

    return d / div;
#elif defined(__x86_64__) || defined(__i386__)
    sp_int128 d = ((sp_int128)d1 << 57) + d0;
    sp_uint64 lo = (sp_uint64)d;
    sp_digit hi = (sp_digit)(d >> 64);

    __asm__ __volatile__ (
        "idiv %2"
        : "+a" (lo)
        : "d" (hi), "r" (div)
        : "cc"
    );

    return (sp_digit)lo;
#elif !defined(__aarch64__) &&  !defined(SP_DIV_WORD_USE_DIV)
    sp_int128 d = ((sp_int128)d1 << 57) + d0;
    sp_digit dv = (div >> 1) + 1;
    sp_digit t1 = (sp_digit)(d >> 57);
    sp_digit t0 = (sp_digit)(d & 0x1ffffffffffffffL);
    sp_digit t2;
    sp_digit sign;
    sp_digit r;
    int i;
    sp_int128 m;

    r = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
    t1 -= dv & (0 - r);
    for (i = 55; i >= 1; i--) {
        t1 += t1 + (((sp_uint64)t0 >> 56) & 1);
        t0 <<= 1;
        t2 = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
        r += r + t2;
        t1 -= dv & (0 - t2);
        t1 += t2;
    }
    r += r + 1;

    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 57);
    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 114) - (sp_digit)(d >> 114);

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;
   return r;
#else
    sp_int128 d = ((sp_int128)d1 << 57) + d0;
    sp_digit r = 0;
    sp_digit t;
    sp_digit dv = (div >> 26) + 1;

    t = (sp_digit)(d >> 52);
    t = (t / dv) << 26;
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)(d >> 21);
    t = t / (dv << 5);
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)d;
    t = t / div;
    r += t;
    d -= (sp_int128)t * div;
    return r;
#endif
}
static WC_INLINE sp_digit sp_3072_word_div_word_54(sp_digit d, sp_digit div)
{
#if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__) || \
    defined(SP_DIV_WORD_USE_DIV)
    return d / div;
#else
    return (sp_digit)((sp_uint64)(div - d) >> 63);
#endif
}
/* Divide d in a and put remainder into r (m*d + r = a)
 * m is not calculated as it is not needed at this time.
 *
 * Full implementation.
 *
 * a  Number to be divided.
 * d  Number to divide with.
 * m  Multiplier result.
 * r  Remainder from the division.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_3072_div_54(const sp_digit* a, const sp_digit* d,
        const sp_digit* m, sp_digit* r)
{
    int i;
#ifndef WOLFSSL_SP_DIV_64
#endif
    sp_digit dv;
    sp_digit r1;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* t1 = NULL;
#else
    sp_digit t1[4 * 54 + 3];
#endif
    sp_digit* t2 = NULL;
    sp_digit* sd = NULL;
    int err = MP_OKAY;

    (void)m;

#ifdef WOLFSSL_SP_SMALL_STACK
    t1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * (4 * 54 + 3), NULL,
                                                       DYNAMIC_TYPE_TMP_BUFFER);
    if (t1 == NULL)
        err = MEMORY_E;
#endif

    (void)m;

    if (err == MP_OKAY) {
        t2 = t1 + 108 + 1;
        sd = t2 + 54 + 1;

        sp_3072_mul_d_54(sd, d, (sp_digit)1 << 6);
        sp_3072_mul_d_108(t1, a, (sp_digit)1 << 6);
        dv = sd[53];
        t1[54 + 54] += t1[54 + 54 - 1] >> 57;
        t1[54 + 54 - 1] &= 0x1ffffffffffffffL;
        for (i=54; i>=0; i--) {
            r1 = sp_3072_div_word_54(t1[54 + i], t1[54 + i - 1], dv);

            sp_3072_mul_d_54(t2, sd, r1);
            (void)sp_3072_sub_54(&t1[i], &t1[i], t2);
            sp_3072_norm_54(&t1[i]);
            t1[54 + i] -= t2[54];
            t1[54 + i] += t1[54 + i - 1] >> 57;
            t1[54 + i - 1] &= 0x1ffffffffffffffL;
            r1 = sp_3072_div_word_54(-t1[54 + i], -t1[54 + i - 1], dv);
            r1 -= t1[54 + i];
            sp_3072_mul_d_54(t2, sd, r1);
            (void)sp_3072_add_54(&t1[i], &t1[i], t2);
            t1[54 + i] += t1[54 + i - 1] >> 57;
            t1[54 + i - 1] &= 0x1ffffffffffffffL;
        }
        t1[54 - 1] += t1[54 - 2] >> 57;
        t1[54 - 2] &= 0x1ffffffffffffffL;
        r1 = sp_3072_word_div_word_54(t1[54 - 1], dv);

        sp_3072_mul_d_54(t2, sd, r1);
        sp_3072_sub_54(t1, t1, t2);
        XMEMCPY(r, t1, sizeof(*r) * 108U);
        for (i=0; i<53; i++) {
            r[i+1] += r[i] >> 57;
            r[i] &= 0x1ffffffffffffffL;
        }
        sp_3072_cond_add_54(r, r, sd, r[53] >> 63);

        sp_3072_norm_54(r);
        sp_3072_rshift_54(r, r, 6);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t1 != NULL)
        XFREE(t1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
}

/* Reduce a modulo m into r. (r = a mod m)
 *
 * r  A single precision number that is the reduced result.
 * a  A single precision number that is to be reduced.
 * m  A single precision number that is the modulus to reduce with.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_3072_mod_54(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    return sp_3072_div_54(a, m, NULL, r);
}

#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(WOLFSSL_HAVE_SP_DH)
#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
                                                     defined(WOLFSSL_HAVE_SP_DH)
/* Modular exponentiate a to the e mod m. (r = a^e mod m)
 *
 * r     A single precision number that is the result of the operation.
 * a     A single precision number being exponentiated.
 * e     A single precision number that is the exponent.
 * bits  The number of bits in the exponent.
 * m     A single precision number that is the modulus.
 * returns  0 on success.
 * returns  MEMORY_E on dynamic memory allocation failure.
 * returns  MP_VAL when base is even or exponent is 0.
 */
static int sp_3072_mod_exp_54(sp_digit* r, const sp_digit* a, const sp_digit* e,
    int bits, const sp_digit* m, int reduceA)
{
#if defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_FAST_MODEXP)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 108];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 54 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 54 * 2);
            XMEMSET(t[i], 0, sizeof(sp_digit) * 54U * 2U);
        }

        sp_3072_mont_setup(m, &mp);
        sp_3072_mont_norm_54(norm, m);

        if (reduceA != 0) {
            err = sp_3072_mod_54(t[1], a, m);
        }
        else {
            XMEMCPY(t[1], a, sizeof(sp_digit) * 54U);
        }
    }
    if (err == MP_OKAY) {
        sp_3072_mul_54(t[1], t[1], norm);
        err = sp_3072_mod_54(t[1], t[1], m);
    }

    if (err == MP_OKAY) {
        i = bits / 57;
        c = bits % 57;
        n = e[i--] << (57 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 57;
            }

            y = (int)((n >> 56) & 1);
            n <<= 1;

            sp_3072_mont_mul_54(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 54 * 2);
            sp_3072_mont_sqr_54(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 54 * 2);
        }

        sp_3072_mont_reduce_54(t[0], m, mp);
        n = sp_3072_cmp_54(t[0], m);
        sp_3072_cond_sub_54(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 54 * 2);

    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#elif !defined(WC_NO_CACHE_RESISTANT)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 108];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 54 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 54 * 2);
        }

        sp_3072_mont_setup(m, &mp);
        sp_3072_mont_norm_54(norm, m);

        if (reduceA != 0) {
            err = sp_3072_mod_54(t[1], a, m);
            if (err == MP_OKAY) {
                sp_3072_mul_54(t[1], t[1], norm);
                err = sp_3072_mod_54(t[1], t[1], m);
            }
        }
        else {
            sp_3072_mul_54(t[1], a, norm);
            err = sp_3072_mod_54(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        i = bits / 57;
        c = bits % 57;
        n = e[i--] << (57 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 57;
            }

            y = (int)((n >> 56) & 1);
            n <<= 1;

            sp_3072_mont_mul_54(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 54 * 2);
            sp_3072_mont_sqr_54(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 54 * 2);
        }

        sp_3072_mont_reduce_54(t[0], m, mp);
        n = sp_3072_cmp_54(t[0], m);
        sp_3072_cond_sub_54(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 54 * 2);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[(16 * 108) + 108];
#endif
    sp_digit* t[16];
    sp_digit* rt = NULL;
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * ((16 * 108) + 108), NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<16; i++)
            t[i] = td + i * 108;
        rt = td + 1728;

        sp_3072_mont_setup(m, &mp);
        sp_3072_mont_norm_54(norm, m);

        if (reduceA != 0) {
            err = sp_3072_mod_54(t[1], a, m);
            if (err == MP_OKAY) {
                sp_3072_mul_54(t[1], t[1], norm);
                err = sp_3072_mod_54(t[1], t[1], m);
            }
        }
        else {
            sp_3072_mul_54(t[1], a, norm);
            err = sp_3072_mod_54(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        sp_3072_mont_sqr_54(t[ 2], t[ 1], m, mp);
        sp_3072_mont_mul_54(t[ 3], t[ 2], t[ 1], m, mp);
        sp_3072_mont_sqr_54(t[ 4], t[ 2], m, mp);
        sp_3072_mont_mul_54(t[ 5], t[ 3], t[ 2], m, mp);
        sp_3072_mont_sqr_54(t[ 6], t[ 3], m, mp);
        sp_3072_mont_mul_54(t[ 7], t[ 4], t[ 3], m, mp);
        sp_3072_mont_sqr_54(t[ 8], t[ 4], m, mp);
        sp_3072_mont_mul_54(t[ 9], t[ 5], t[ 4], m, mp);
        sp_3072_mont_sqr_54(t[10], t[ 5], m, mp);
        sp_3072_mont_mul_54(t[11], t[ 6], t[ 5], m, mp);
        sp_3072_mont_sqr_54(t[12], t[ 6], m, mp);
        sp_3072_mont_mul_54(t[13], t[ 7], t[ 6], m, mp);
        sp_3072_mont_sqr_54(t[14], t[ 7], m, mp);
        sp_3072_mont_mul_54(t[15], t[ 8], t[ 7], m, mp);

        bits = ((bits + 3) / 4) * 4;
        i = ((bits + 56) / 57) - 1;
        c = bits % 57;
        if (c == 0) {
            c = 57;
        }
        if (i < 54) {
            n = e[i--] << (64 - c);
        }
        else {
            n = 0;
            i--;
        }
        if (c < 4) {
            n |= e[i--] << (7 - c);
            c += 57;
        }
        y = (int)((n >> 60) & 0xf);
        n <<= 4;
        c -= 4;
        XMEMCPY(rt, t[y], sizeof(sp_digit) * 108);
        while ((i >= 0) || (c >= 4)) {
            if (c >= 4) {
                y = (byte)((n >> 60) & 0xf);
                n <<= 4;
                c -= 4;
            }
            else if (c == 0) {
                n = e[i--] << 7;
                y = (byte)((n >> 60) & 0xf);
                n <<= 4;
                c = 53;
            }
            else {
                y = (byte)((n >> 60) & 0xf);
                n = e[i--] << 7;
                c = 4 - c;
                y |= (byte)((n >> (64 - c)) & ((1 << c) - 1));
                n <<= c;
                c = 57 - c;
            }

            sp_3072_mont_sqr_54(rt, rt, m, mp);
            sp_3072_mont_sqr_54(rt, rt, m, mp);
            sp_3072_mont_sqr_54(rt, rt, m, mp);
            sp_3072_mont_sqr_54(rt, rt, m, mp);

            sp_3072_mont_mul_54(rt, rt, t[y], m, mp);
        }

        sp_3072_mont_reduce_54(rt, m, mp);
        n = sp_3072_cmp_54(rt, m);
        sp_3072_cond_sub_54(rt, rt, m, ~(n >> 63));
        XMEMCPY(r, rt, sizeof(sp_digit) * 108);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#endif
}
#endif /* (WOLFSSL_HAVE_SP_RSA & !WOLFSSL_RSA_PUBLIC_ONLY) || */
       /* WOLFSSL_HAVE_SP_DH */

#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
#ifdef WOLFSSL_HAVE_SP_RSA
/* RSA public key operation.
 *
 * in      Array of bytes representing the number to exponentiate, base.
 * inLen   Number of bytes in base.
 * em      Public exponent.
 * mm      Modulus.
 * out     Buffer to hold big-endian bytes of exponentiation result.
 *         Must be at least 384 bytes long.
 * outLen  Number of bytes in result.
 * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
 * an array is too long and MEMORY_E when dynamic memory allocation fails.
 */
int sp_RsaPublic_3072(const byte* in, word32 inLen, const mp_int* em,
    const mp_int* mm, byte* out, word32* outLen)
{
#ifdef WOLFSSL_SP_SMALL
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* a = NULL;
#else
    sp_digit a[54 * 5];
#endif
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    sp_digit* norm = NULL;
    sp_uint64 e[1] = {0};
    sp_digit mp = 0;
    int i;
    int err = MP_OKAY;

    if (*outLen < 384U) {
        err = MP_TO_E;
    }

    if (err == MP_OKAY) {
        if (mp_count_bits(em) > 64) {
            err = MP_READ_E;
        }
        else if (inLen > 384U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 3072) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        a = (sp_digit*)XMALLOC(sizeof(sp_digit) * 54 * 5, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (a == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        r = a + 54 * 2;
        m = r + 54 * 2;
        norm = r;

        sp_3072_from_bin(a, 54, in, inLen);
#if DIGIT_BIT >= 64
        e[0] = (sp_uint64)em->dp[0];
#else
        e[0] = (sp_uint64)em->dp[0];
        if (em->used > 1) {
            e[0] |= ((sp_uint64)em->dp[1]) << DIGIT_BIT;
        }
#endif
        if (e[0] == 0) {
            err = MP_EXPTMOD_E;
        }
    }

    if (err == MP_OKAY) {
        sp_3072_from_mp(m, 54, mm);

        sp_3072_mont_setup(m, &mp);
        sp_3072_mont_norm_54(norm, m);
    }
    if (err == MP_OKAY) {
        sp_3072_mul_54(a, a, norm);
        err = sp_3072_mod_54(a, a, m);
    }
    if (err == MP_OKAY) {
        for (i=63; i>=0; i--) {
            if ((e[0] >> i) != 0) {
                break;
            }
        }

        XMEMCPY(r, a, sizeof(sp_digit) * 54 * 2);
        for (i--; i>=0; i--) {
            sp_3072_mont_sqr_54(r, r, m, mp);

            if (((e[0] >> i) & 1) == 1) {
                sp_3072_mont_mul_54(r, r, a, m, mp);
            }
        }
        sp_3072_mont_reduce_54(r, m, mp);
        mp = sp_3072_cmp_54(r, m);
        sp_3072_cond_sub_54(r, r, m, ~(mp >> 63));

        sp_3072_to_bin_54(r, out);
        *outLen = 384;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (a != NULL)
        XFREE(a, NULL, DYNAMIC_TYPE_RSA);
#endif

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* d = NULL;
#else
    sp_digit d[54 * 5];
#endif
    sp_digit* a = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    sp_uint64 e[1] = {0};
    int err = MP_OKAY;

    if (*outLen < 384U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (mp_count_bits(em) > 64) {
            err = MP_READ_E;
        }
        else if (inLen > 384U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 3072) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 54 * 5, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (d == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        a = d;
        r = a + 54 * 2;
        m = r + 54 * 2;

        sp_3072_from_bin(a, 54, in, inLen);
#if DIGIT_BIT >= 64
        e[0] = (sp_uint64)em->dp[0];
#else
        e[0] = (sp_uint64)em->dp[0];
        if (em->used > 1) {
            e[0] |= ((sp_uint64)em->dp[1]) << DIGIT_BIT;
        }
#endif
        if (e[0] == 0) {
            err = MP_EXPTMOD_E;
        }
    }
    if (err == MP_OKAY) {
        sp_3072_from_mp(m, 54, mm);

        if (e[0] == 0x3) {
            sp_3072_sqr_54(r, a);
            err = sp_3072_mod_54(r, r, m);
            if (err == MP_OKAY) {
                sp_3072_mul_54(r, a, r);
                err = sp_3072_mod_54(r, r, m);
            }
        }
        else {
            sp_digit* norm = r;
            int i;
            sp_digit mp;

            sp_3072_mont_setup(m, &mp);
            sp_3072_mont_norm_54(norm, m);

            sp_3072_mul_54(a, a, norm);
            err = sp_3072_mod_54(a, a, m);

            if (err == MP_OKAY) {
                for (i=63; i>=0; i--) {
                    if ((e[0] >> i) != 0) {
                        break;
                    }
                }

                XMEMCPY(r, a, sizeof(sp_digit) * 108U);
                for (i--; i>=0; i--) {
                    sp_3072_mont_sqr_54(r, r, m, mp);

                    if (((e[0] >> i) & 1) == 1) {
                        sp_3072_mont_mul_54(r, r, a, m, mp);
                    }
                }
                sp_3072_mont_reduce_54(r, m, mp);
                mp = sp_3072_cmp_54(r, m);
                sp_3072_cond_sub_54(r, r, m, ~(mp >> 63));
            }
        }
    }

    if (err == MP_OKAY) {
        sp_3072_to_bin_54(r, out);
        *outLen = 384;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (d != NULL)
        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
#endif

    return err;
#endif /* WOLFSSL_SP_SMALL */
}

#ifndef WOLFSSL_RSA_PUBLIC_ONLY
#if !defined(SP_RSA_PRIVATE_EXP_D) && !defined(RSA_LOW_MEM)
#endif /* !SP_RSA_PRIVATE_EXP_D & !RSA_LOW_MEM */
/* RSA private key operation.
 *
 * in      Array of bytes representing the number to exponentiate, base.
 * inLen   Number of bytes in base.
 * dm      Private exponent.
 * pm      First prime.
 * qm      Second prime.
 * dpm     First prime's CRT exponent.
 * dqm     Second prime's CRT exponent.
 * qim     Inverse of second prime mod p.
 * mm      Modulus.
 * out     Buffer to hold big-endian bytes of exponentiation result.
 *         Must be at least 384 bytes long.
 * outLen  Number of bytes in result.
 * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
 * an array is too long and MEMORY_E when dynamic memory allocation fails.
 */
int sp_RsaPrivate_3072(const byte* in, word32 inLen, const mp_int* dm,
    const mp_int* pm, const mp_int* qm, const mp_int* dpm, const mp_int* dqm,
    const mp_int* qim, const mp_int* mm, byte* out, word32* outLen)
{
#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
#if defined(WOLFSSL_SP_SMALL)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* d = NULL;
#else
    sp_digit  d[54 * 4];
#endif
    sp_digit* a = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)pm;
    (void)qm;
    (void)dpm;
    (void)dqm;
    (void)qim;

    if (*outLen < 384U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (mp_count_bits(dm) > 3072) {
           err = MP_READ_E;
        }
        else if (inLen > 384) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 3072) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 54 * 4, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (d == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        a = d + 54;
        m = a + 108;
        r = a;

        sp_3072_from_bin(a, 54, in, inLen);
        sp_3072_from_mp(d, 54, dm);
        sp_3072_from_mp(m, 54, mm);
        err = sp_3072_mod_exp_54(r, a, d, 3072, m, 0);
    }

    if (err == MP_OKAY) {
        sp_3072_to_bin_54(r, out);
        *outLen = 384;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (d != NULL)
#endif
    {
        /* only "a" and "r" are sensitive and need zeroized (same pointer) */
        if (a != NULL)
            ForceZero(a, sizeof(sp_digit) * 54);
#ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
#endif
    }

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* d = NULL;
#else
    sp_digit d[54 * 4];
#endif
    sp_digit* a = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)pm;
    (void)qm;
    (void)dpm;
    (void)dqm;
    (void)qim;

    if (*outLen < 384U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (mp_count_bits(dm) > 3072) {
            err = MP_READ_E;
        }
        else if (inLen > 384U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 3072) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 54 * 4, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (d == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        a = d + 54;
        m = a + 108;
        r = a;

        sp_3072_from_bin(a, 54, in, inLen);
        sp_3072_from_mp(d, 54, dm);
        sp_3072_from_mp(m, 54, mm);
        err = sp_3072_mod_exp_54(r, a, d, 3072, m, 0);
    }

    if (err == MP_OKAY) {
        sp_3072_to_bin_54(r, out);
        *outLen = 384;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (d != NULL)
#endif
    {
        /* only "a" and "r" are sensitive and need zeroized (same pointer) */
        if (a != NULL)
            ForceZero(a, sizeof(sp_digit) * 54);
#ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
#endif
    }

    return err;
#endif /* WOLFSSL_SP_SMALL */
#else
#if defined(WOLFSSL_SP_SMALL)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* a = NULL;
#else
    sp_digit a[27 * 8];
#endif
    sp_digit* p = NULL;
    sp_digit* dp = NULL;
    sp_digit* dq = NULL;
    sp_digit* qi = NULL;
    sp_digit* tmpa = NULL;
    sp_digit* tmpb = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)dm;
    (void)mm;

    if (*outLen < 384U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (inLen > 384) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 3072) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(pm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(qm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        a = (sp_digit*)XMALLOC(sizeof(sp_digit) * 27 * 8, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (a == NULL)
            err = MEMORY_E;
    }
#endif
    if (err == MP_OKAY) {
        p = a + 54;
        qi = dq = dp = p + 27;
        tmpa = qi + 27;
        tmpb = tmpa + 54;
        r = a;

        sp_3072_from_bin(a, 54, in, inLen);
        sp_3072_from_mp(p, 27, pm);
        sp_3072_from_mp(dp, 27, dpm);
        err = sp_3072_mod_exp_27(tmpa, a, dp, 1536, p, 1);
    }
    if (err == MP_OKAY) {
        sp_3072_from_mp(p, 27, qm);
        sp_3072_from_mp(dq, 27, dqm);
        err = sp_3072_mod_exp_27(tmpb, a, dq, 1536, p, 1);
    }
    if (err == MP_OKAY) {
        sp_3072_from_mp(p, 27, pm);
        (void)sp_3072_sub_27(tmpa, tmpa, tmpb);
        sp_3072_norm_27(tmpa);
        sp_3072_cond_add_27(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[26] >> 63));
        sp_3072_cond_add_27(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[26] >> 63));
        sp_3072_norm_27(tmpa);

        sp_3072_from_mp(qi, 27, qim);
        sp_3072_mul_27(tmpa, tmpa, qi);
        err = sp_3072_mod_27(tmpa, tmpa, p);
    }

    if (err == MP_OKAY) {
        sp_3072_from_mp(p, 27, qm);
        sp_3072_mul_27(tmpa, p, tmpa);
        (void)sp_3072_add_54(r, tmpb, tmpa);
        sp_3072_norm_54(r);

        sp_3072_to_bin_54(r, out);
        *outLen = 384;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (a != NULL)
#endif
    {
        ForceZero(a, sizeof(sp_digit) * 27 * 8);
#ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(a, NULL, DYNAMIC_TYPE_RSA);
#endif
    }

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* a = NULL;
#else
    sp_digit a[27 * 13];
#endif
    sp_digit* p = NULL;
    sp_digit* q = NULL;
    sp_digit* dp = NULL;
    sp_digit* dq = NULL;
    sp_digit* qi = NULL;
    sp_digit* tmpa = NULL;
    sp_digit* tmpb = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)dm;
    (void)mm;

    if (*outLen < 384U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (inLen > 384U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 3072) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(pm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(qm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        a = (sp_digit*)XMALLOC(sizeof(sp_digit) * 27 * 13, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (a == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        p = a + 54 * 2;
        q = p + 27;
        dp = q + 27;
        dq = dp + 27;
        qi = dq + 27;
        tmpa = qi + 27;
        tmpb = tmpa + 54;
        r = a;

        sp_3072_from_bin(a, 54, in, inLen);
        sp_3072_from_mp(p, 27, pm);
        sp_3072_from_mp(q, 27, qm);
        sp_3072_from_mp(dp, 27, dpm);
        sp_3072_from_mp(dq, 27, dqm);
        sp_3072_from_mp(qi, 27, qim);

        err = sp_3072_mod_exp_27(tmpa, a, dp, 1536, p, 1);
    }
    if (err == MP_OKAY) {
        err = sp_3072_mod_exp_27(tmpb, a, dq, 1536, q, 1);
    }

    if (err == MP_OKAY) {
        (void)sp_3072_sub_27(tmpa, tmpa, tmpb);
        sp_3072_norm_27(tmpa);
        sp_3072_cond_add_27(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[26] >> 63));
        sp_3072_cond_add_27(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[26] >> 63));
        sp_3072_norm_27(tmpa);
        sp_3072_mul_27(tmpa, tmpa, qi);
        err = sp_3072_mod_27(tmpa, tmpa, p);
    }

    if (err == MP_OKAY) {
        sp_3072_mul_27(tmpa, tmpa, q);
        (void)sp_3072_add_54(r, tmpb, tmpa);
        sp_3072_norm_54(r);

        sp_3072_to_bin_54(r, out);
        *outLen = 384;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
if (a != NULL)
#endif
    {
        ForceZero(a, sizeof(sp_digit) * 27 * 13);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(a, NULL, DYNAMIC_TYPE_RSA);
    #endif
    }

    return err;
#endif /* WOLFSSL_SP_SMALL */
#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
}

#endif /* !WOLFSSL_RSA_PUBLIC_ONLY */
#endif /* WOLFSSL_HAVE_SP_RSA */
#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
/* Convert an array of sp_digit to an mp_int.
 *
 * a  A single precision integer.
 * r  A multi-precision integer.
 */
static int sp_3072_to_mp(const sp_digit* a, mp_int* r)
{
    int err;

    err = mp_grow(r, (3072 + DIGIT_BIT - 1) / DIGIT_BIT);
    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
#if DIGIT_BIT == 57
        XMEMCPY(r->dp, a, sizeof(sp_digit) * 54);
        r->used = 54;
        mp_clamp(r);
#elif DIGIT_BIT < 57
        int i;
        int j = 0;
        int s = 0;

        r->dp[0] = 0;
        for (i = 0; i < 54; i++) {
            r->dp[j] |= (mp_digit)(a[i] << s);
            r->dp[j] &= ((sp_digit)1 << DIGIT_BIT) - 1;
            s = DIGIT_BIT - s;
            r->dp[++j] = (mp_digit)(a[i] >> s);
            while (s + DIGIT_BIT <= 57) {
                s += DIGIT_BIT;
                r->dp[j++] &= ((sp_digit)1 << DIGIT_BIT) - 1;
                if (s == SP_WORD_SIZE) {
                    r->dp[j] = 0;
                }
                else {
                    r->dp[j] = (mp_digit)(a[i] >> s);
                }
            }
            s = 57 - s;
        }
        r->used = (3072 + DIGIT_BIT - 1) / DIGIT_BIT;
        mp_clamp(r);
#else
        int i;
        int j = 0;
        int s = 0;

        r->dp[0] = 0;
        for (i = 0; i < 54; i++) {
            r->dp[j] |= ((mp_digit)a[i]) << s;
            if (s + 57 >= DIGIT_BIT) {
    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
                r->dp[j] &= ((sp_digit)1 << DIGIT_BIT) - 1;
    #endif
                s = DIGIT_BIT - s;
                r->dp[++j] = a[i] >> s;
                s = 57 - s;
            }
            else {
                s += 57;
            }
        }
        r->used = (3072 + DIGIT_BIT - 1) / DIGIT_BIT;
        mp_clamp(r);
#endif
    }

    return err;
}

/* Perform the modular exponentiation for Diffie-Hellman.
 *
 * base  Base. MP integer.
 * exp   Exponent. MP integer.
 * mod   Modulus. MP integer.
 * res   Result. MP integer.
 * returns 0 on success, MP_READ_E if there are too many bytes in an array
 * and MEMORY_E if memory allocation fails.
 */
int sp_ModExp_3072(const mp_int* base, const mp_int* exp, const mp_int* mod,
    mp_int* res)
{
#ifdef WOLFSSL_SP_SMALL
    int err = MP_OKAY;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[54 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int expBits = mp_count_bits(exp);

    if (mp_count_bits(base) > 3072) {
        err = MP_READ_E;
    }
    else if (expBits > 3072) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 3072) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 54 * 4, NULL,
            DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 54 * 2;
        m = e + 54;
        r = b;

        sp_3072_from_mp(b, 54, base);
        sp_3072_from_mp(e, 54, exp);
        sp_3072_from_mp(m, 54, mod);

        err = sp_3072_mod_exp_54(r, b, e, mp_count_bits(exp), m, 0);
    }

    if (err == MP_OKAY) {
        err = sp_3072_to_mp(r, res);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 54U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }
    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[54 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;
    int expBits = mp_count_bits(exp);

    if (mp_count_bits(base) > 3072) {
        err = MP_READ_E;
    }
    else if (expBits > 3072) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 3072) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 54 * 4, NULL, DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 54 * 2;
        m = e + 54;
        r = b;

        sp_3072_from_mp(b, 54, base);
        sp_3072_from_mp(e, 54, exp);
        sp_3072_from_mp(m, 54, mod);

        err = sp_3072_mod_exp_54(r, b, e, expBits, m, 0);
    }

    if (err == MP_OKAY) {
        err = sp_3072_to_mp(r, res);
    }


#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 54U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }

    return err;
#endif
}

#ifdef WOLFSSL_HAVE_SP_DH

#ifdef HAVE_FFDHE_3072
SP_NOINLINE static void sp_3072_lshift_54(sp_digit* r, const sp_digit* a,
        byte n)
{
    sp_int_digit s;
    sp_int_digit t;

    s = (sp_int_digit)a[53];
    r[54] = s >> (57U - n);
    s = (sp_int_digit)(a[53]); t = (sp_int_digit)(a[52]);
    r[53] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[52]); t = (sp_int_digit)(a[51]);
    r[52] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[51]); t = (sp_int_digit)(a[50]);
    r[51] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[50]); t = (sp_int_digit)(a[49]);
    r[50] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[49]); t = (sp_int_digit)(a[48]);
    r[49] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[48]); t = (sp_int_digit)(a[47]);
    r[48] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[47]); t = (sp_int_digit)(a[46]);
    r[47] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[46]); t = (sp_int_digit)(a[45]);
    r[46] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[45]); t = (sp_int_digit)(a[44]);
    r[45] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[44]); t = (sp_int_digit)(a[43]);
    r[44] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[43]); t = (sp_int_digit)(a[42]);
    r[43] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[42]); t = (sp_int_digit)(a[41]);
    r[42] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[41]); t = (sp_int_digit)(a[40]);
    r[41] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[40]); t = (sp_int_digit)(a[39]);
    r[40] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[39]); t = (sp_int_digit)(a[38]);
    r[39] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[38]); t = (sp_int_digit)(a[37]);
    r[38] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[37]); t = (sp_int_digit)(a[36]);
    r[37] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[36]); t = (sp_int_digit)(a[35]);
    r[36] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[35]); t = (sp_int_digit)(a[34]);
    r[35] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[34]); t = (sp_int_digit)(a[33]);
    r[34] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[33]); t = (sp_int_digit)(a[32]);
    r[33] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[32]); t = (sp_int_digit)(a[31]);
    r[32] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[31]); t = (sp_int_digit)(a[30]);
    r[31] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[30]); t = (sp_int_digit)(a[29]);
    r[30] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[29]); t = (sp_int_digit)(a[28]);
    r[29] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[28]); t = (sp_int_digit)(a[27]);
    r[28] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[27]); t = (sp_int_digit)(a[26]);
    r[27] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[26]); t = (sp_int_digit)(a[25]);
    r[26] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[25]); t = (sp_int_digit)(a[24]);
    r[25] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[24]); t = (sp_int_digit)(a[23]);
    r[24] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[23]); t = (sp_int_digit)(a[22]);
    r[23] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[22]); t = (sp_int_digit)(a[21]);
    r[22] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[21]); t = (sp_int_digit)(a[20]);
    r[21] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[20]); t = (sp_int_digit)(a[19]);
    r[20] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[19]); t = (sp_int_digit)(a[18]);
    r[19] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[18]); t = (sp_int_digit)(a[17]);
    r[18] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[17]); t = (sp_int_digit)(a[16]);
    r[17] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[16]); t = (sp_int_digit)(a[15]);
    r[16] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[15]); t = (sp_int_digit)(a[14]);
    r[15] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[14]); t = (sp_int_digit)(a[13]);
    r[14] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[13]); t = (sp_int_digit)(a[12]);
    r[13] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[12]); t = (sp_int_digit)(a[11]);
    r[12] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[11]); t = (sp_int_digit)(a[10]);
    r[11] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[10]); t = (sp_int_digit)(a[9]);
    r[10] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[9]); t = (sp_int_digit)(a[8]);
    r[9] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[8]); t = (sp_int_digit)(a[7]);
    r[8] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[7]); t = (sp_int_digit)(a[6]);
    r[7] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[6]); t = (sp_int_digit)(a[5]);
    r[6] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[5]); t = (sp_int_digit)(a[4]);
    r[5] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[4]); t = (sp_int_digit)(a[3]);
    r[4] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[3]); t = (sp_int_digit)(a[2]);
    r[3] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[2]); t = (sp_int_digit)(a[1]);
    r[2] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    s = (sp_int_digit)(a[1]); t = (sp_int_digit)(a[0]);
    r[1] = ((s << n) | (t >> (57U - n))) & 0x1ffffffffffffffUL;
    r[0] = (a[0] << n) & 0x1ffffffffffffffL;
}

/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
 *
 * r     A single precision number that is the result of the operation.
 * e     A single precision number that is the exponent.
 * bits  The number of bits in the exponent.
 * m     A single precision number that is the modulus.
 * returns  0 on success.
 * returns  MEMORY_E on dynamic memory allocation failure.
 * returns  MP_VAL when base is even.
 */
static int sp_3072_mod_exp_2_54(sp_digit* r, const sp_digit* e, int bits, const sp_digit* m)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[163];
#endif
    sp_digit* norm = NULL;
    sp_digit* tmp = NULL;
    sp_digit mp = 1;
    sp_digit n;
    sp_digit o;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 163, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        tmp  = td + 108;
        XMEMSET(td, 0, sizeof(sp_digit) * 163);

        sp_3072_mont_setup(m, &mp);
        sp_3072_mont_norm_54(norm, m);

        bits = ((bits + 4) / 5) * 5;
        i = ((bits + 56) / 57) - 1;
        c = bits % 57;
        if (c == 0) {
            c = 57;
        }
        if (i < 54) {
            n = e[i--] << (64 - c);
        }
        else {
            n = 0;
            i--;
        }
        if (c < 5) {
            n |= e[i--] << (7 - c);
            c += 57;
        }
        y = (int)((n >> 59) & 0x1f);
        n <<= 5;
        c -= 5;
        sp_3072_lshift_54(r, norm, (byte)y);
        while ((i >= 0) || (c >= 5)) {
            if (c >= 5) {
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c -= 5;
            }
            else if (c == 0) {
                n = e[i--] << 7;
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c = 52;
            }
            else {
                y = (byte)((n >> 59) & 0x1f);
                n = e[i--] << 7;
                c = 5 - c;
                y |= (byte)((n >> (64 - c)) & ((1 << c) - 1));
                n <<= c;
                c = 57 - c;
            }

            sp_3072_mont_sqr_54(r, r, m, mp);
            sp_3072_mont_sqr_54(r, r, m, mp);
            sp_3072_mont_sqr_54(r, r, m, mp);
            sp_3072_mont_sqr_54(r, r, m, mp);
            sp_3072_mont_sqr_54(r, r, m, mp);

            sp_3072_lshift_54(r, r, (byte)y);
            sp_3072_mul_d_54(tmp, norm, (r[54] << 6) + (r[53] >> 51));
            r[54] = 0;
            r[53] &= 0x7ffffffffffffL;
            (void)sp_3072_add_54(r, r, tmp);
            sp_3072_norm_54(r);
            o = sp_3072_cmp_54(r, m);
            sp_3072_cond_sub_54(r, r, m, ~(o >> 63));
        }

        sp_3072_mont_reduce_54(r, m, mp);
        n = sp_3072_cmp_54(r, m);
        sp_3072_cond_sub_54(r, r, m, ~(n >> 63));
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
}

#endif /* HAVE_FFDHE_3072 */

/* Perform the modular exponentiation for Diffie-Hellman.
 *
 * base     Base.
 * exp      Array of bytes that is the exponent.
 * expLen   Length of data, in bytes, in exponent.
 * mod      Modulus.
 * out      Buffer to hold big-endian bytes of exponentiation result.
 *          Must be at least 384 bytes long.
 * outLen   Length, in bytes, of exponentiation result.
 * returns 0 on success, MP_READ_E if there are too many bytes in an array
 * and MEMORY_E if memory allocation fails.
 */
int sp_DhExp_3072(const mp_int* base, const byte* exp, word32 expLen,
    const mp_int* mod, byte* out, word32* outLen)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[54 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    word32 i;
    int err = MP_OKAY;

    if (mp_count_bits(base) > 3072) {
        err = MP_READ_E;
    }
    else if (expLen > 384U) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 3072) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 54 * 4, NULL,
            DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 54 * 2;
        m = e + 54;
        r = b;

        sp_3072_from_mp(b, 54, base);
        sp_3072_from_bin(e, 54, exp, expLen);
        sp_3072_from_mp(m, 54, mod);

    #ifdef HAVE_FFDHE_3072
        if (base->used == 1 && base->dp[0] == 2U &&
                (m[53] >> 19) == 0xffffffffL) {
            err = sp_3072_mod_exp_2_54(r, e, expLen * 8U, m);
        }
        else {
    #endif
            err = sp_3072_mod_exp_54(r, b, e, expLen * 8U, m, 0);
    #ifdef HAVE_FFDHE_3072
        }
    #endif
    }

    if (err == MP_OKAY) {
        sp_3072_to_bin_54(r, out);
        *outLen = 384;
        for (i=0; i<384U && out[i] == 0U; i++) {
            /* Search for first non-zero. */
        }
        *outLen -= i;
        XMEMMOVE(out, out + i, *outLen);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 54U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }

    return err;
}
#endif /* WOLFSSL_HAVE_SP_DH */

/* Perform the modular exponentiation for Diffie-Hellman.
 *
 * base  Base. MP integer.
 * exp   Exponent. MP integer.
 * mod   Modulus. MP integer.
 * res   Result. MP integer.
 * returns 0 on success, MP_READ_E if there are too many bytes in an array
 * and MEMORY_E if memory allocation fails.
 */
int sp_ModExp_1536(const mp_int* base, const mp_int* exp, const mp_int* mod,
    mp_int* res)
{
#ifdef WOLFSSL_SP_SMALL
    int err = MP_OKAY;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[27 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int expBits = mp_count_bits(exp);

    if (mp_count_bits(base) > 1536) {
        err = MP_READ_E;
    }
    else if (expBits > 1536) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 1536) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 27 * 4, NULL,
            DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 27 * 2;
        m = e + 27;
        r = b;

        sp_3072_from_mp(b, 27, base);
        sp_3072_from_mp(e, 27, exp);
        sp_3072_from_mp(m, 27, mod);

        err = sp_3072_mod_exp_27(r, b, e, mp_count_bits(exp), m, 0);
    }

    if (err == MP_OKAY) {
        XMEMSET(r + 27, 0, sizeof(*r) * 27U);
        err = sp_3072_to_mp(r, res);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 54U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }
    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[27 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;
    int expBits = mp_count_bits(exp);

    if (mp_count_bits(base) > 1536) {
        err = MP_READ_E;
    }
    else if (expBits > 1536) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 1536) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 27 * 4, NULL, DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 27 * 2;
        m = e + 27;
        r = b;

        sp_3072_from_mp(b, 27, base);
        sp_3072_from_mp(e, 27, exp);
        sp_3072_from_mp(m, 27, mod);

        err = sp_3072_mod_exp_27(r, b, e, expBits, m, 0);
    }

    if (err == MP_OKAY) {
        XMEMSET(r + 27, 0, sizeof(*r) * 27U);
        err = sp_3072_to_mp(r, res);
    }


#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 54U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }

    return err;
#endif
}

#endif /* WOLFSSL_HAVE_SP_DH | (WOLFSSL_HAVE_SP_RSA & !WOLFSSL_RSA_PUBLIC_ONLY) */

#endif /* WOLFSSL_SP_SMALL */
#endif /* !WOLFSSL_SP_NO_3072 */

#ifdef WOLFSSL_SP_4096
#ifdef WOLFSSL_SP_SMALL
/* Read big endian unsigned byte array into r.
 *
 * r  A single precision integer.
 * size  Maximum number of bytes to convert
 * a  Byte array.
 * n  Number of bytes in array to read.
 */
static void sp_4096_from_bin(sp_digit* r, int size, const byte* a, int n)
{
    int i;
    int j = 0;
    word32 s = 0;

    r[0] = 0;
    for (i = n-1; i >= 0; i--) {
        r[j] |= (((sp_digit)a[i]) << s);
        if (s >= 51U) {
            r[j] &= 0x7ffffffffffffffL;
            s = 59U - s;
            if (j + 1 >= size) {
                break;
            }
            r[++j] = (sp_digit)a[i] >> s;
            s = 8U - s;
        }
        else {
            s += 8U;
        }
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
}

/* Convert an mp_int to an array of sp_digit.
 *
 * r  A single precision integer.
 * size  Maximum number of bytes to convert
 * a  A multi-precision integer.
 */
static void sp_4096_from_mp(sp_digit* r, int size, const mp_int* a)
{
#if DIGIT_BIT == 59
    int i;
    sp_digit j = (sp_digit)0 - (sp_digit)a->used;
    int o = 0;

    for (i = 0; i < size; i++) {
        sp_digit mask = (sp_digit)0 - (j >> 58);
        r[i] = a->dp[o] & mask;
        j++;
        o += (int)(j >> 58);
    }
#elif DIGIT_BIT > 59
    unsigned int i;
    int j = 0;
    word32 s = 0;

    r[0] = 0;
    for (i = 0; i < (unsigned int)a->used && j < size; i++) {
        r[j] |= ((sp_digit)a->dp[i] << s);
        r[j] &= 0x7ffffffffffffffL;
        s = 59U - s;
        if (j + 1 >= size) {
            break;
        }
        /* lint allow cast of mismatch word32 and mp_digit */
        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
        while ((s + 59U) <= (word32)DIGIT_BIT) {
            s += 59U;
            r[j] &= 0x7ffffffffffffffL;
            if (j + 1 >= size) {
                break;
            }
            if (s < (word32)DIGIT_BIT) {
                /* lint allow cast of mismatch word32 and mp_digit */
                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
            }
            else {
                r[++j] = (sp_digit)0;
            }
        }
        s = (word32)DIGIT_BIT - s;
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
#else
    unsigned int i;
    int j = 0;
    int s = 0;

    r[0] = 0;
    for (i = 0; i < (unsigned int)a->used && j < size; i++) {
        r[j] |= ((sp_digit)a->dp[i]) << s;
        if (s + DIGIT_BIT >= 59) {
            r[j] &= 0x7ffffffffffffffL;
            if (j + 1 >= size) {
                break;
            }
            s = 59 - s;
            if (s == DIGIT_BIT) {
                r[++j] = 0;
                s = 0;
            }
            else {
                r[++j] = a->dp[i] >> s;
                s = DIGIT_BIT - s;
            }
        }
        else {
            s += DIGIT_BIT;
        }
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
#endif
}

/* Write r as big endian to byte array.
 * Fixed length number of bytes written: 512
 *
 * r  A single precision integer.
 * a  Byte array.
 */
static void sp_4096_to_bin_70(sp_digit* r, byte* a)
{
    int i;
    int j;
    int s = 0;
    int b;

    for (i=0; i<69; i++) {
        r[i+1] += r[i] >> 59;
        r[i] &= 0x7ffffffffffffffL;
    }
    j = 4103 / 8 - 1;
    a[j] = 0;
    for (i=0; i<70 && j>=0; i++) {
        b = 0;
        /* lint allow cast of mismatch sp_digit and int */
        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
        b += 8 - s;
        if (j < 0) {
            break;
        }
        while (b < 59) {
            a[j--] = (byte)(r[i] >> b);
            b += 8;
            if (j < 0) {
                break;
            }
        }
        s = 8 - (b - 59);
        if (j >= 0) {
            a[j] = 0;
        }
        if (s != 0) {
            j++;
        }
    }
}

#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(WOLFSSL_HAVE_SP_DH)
#if defined(WOLFSSL_HAVE_SP_RSA) && !defined(SP_RSA_PRIVATE_EXP_D)
/* Normalize the values in each word to 59 bits.
 *
 * a  Array of sp_digit to normalize.
 */
static void sp_4096_norm_35(sp_digit* a)
{
    int i;
    for (i = 0; i < 34; i++) {
        a[i+1] += a[i] >> 59;
        a[i] &= 0x7ffffffffffffffL;
    }
}

#endif /* WOLFSSL_HAVE_SP_RSA & !SP_RSA_PRIVATE_EXP_D */
#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
/* Normalize the values in each word to 59 bits.
 *
 * a  Array of sp_digit to normalize.
 */
static void sp_4096_norm_70(sp_digit* a)
{
    int i;
    for (i = 0; i < 69; i++) {
        a[i+1] += a[i] >> 59;
        a[i] &= 0x7ffffffffffffffL;
    }
}

/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_4096_mul_70(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    int i;
    int imax;
    int k;
    sp_uint128 c;
    sp_uint128 lo;

    c = ((sp_uint128)a[69]) * b[69];
    r[139] = (sp_digit)(c >> 59);
    c &= 0x7ffffffffffffffL;
    for (k = 137; k >= 0; k--) {
        if (k >= 70) {
            i = k - 69;
            imax = 69;
        }
        else {
            i = 0;
            imax = k;
        }
        lo = 0;
        for (; i <= imax; i++) {
            lo += ((sp_uint128)a[i]) * b[k - i];
        }
        c += lo >> 59;
        r[k + 2] += (sp_digit)(c >> 59);
        r[k + 1]  = (sp_digit)(c & 0x7ffffffffffffffL);
        c = lo & 0x7ffffffffffffffL;
    }
    r[0] = (sp_digit)c;
}

/* Square a and put result in r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_4096_sqr_70(sp_digit* r, const sp_digit* a)
{
    int i;
    int imax;
    int k;
    sp_uint128 c;
    sp_uint128 t;

    c = ((sp_uint128)a[69]) * a[69];
    r[139] = (sp_digit)(c >> 59);
    c = (c & 0x7ffffffffffffffL) << 59;
    for (k = 137; k >= 0; k--) {
        i = (k + 1) / 2;
        if ((k & 1) == 0) {
           c += ((sp_uint128)a[i]) * a[i];
           i++;
        }
        if (k < 69) {
            imax = k;
        }
        else {
            imax = 69;
        }
        t = 0;
        for (; i <= imax; i++) {
            t += ((sp_uint128)a[i]) * a[k - i];
        }
        c += t * 2;

        r[k + 2] += (sp_digit) (c >> 118);
        r[k + 1]  = (sp_digit)((c >> 59) & 0x7ffffffffffffffL);
        c = (c & 0x7ffffffffffffffL) << 59;
    }
    r[0] = (sp_digit)(c >> 59);
}

/* Calculate the bottom digit of -1/a mod 2^n.
 *
 * a    A single precision number.
 * rho  Bottom word of inverse.
 */
static void sp_4096_mont_setup(const sp_digit* a, sp_digit* rho)
{
    sp_digit x;
    sp_digit b;

    b = a[0];
    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**64 */
    x &= 0x7ffffffffffffffL;

    /* rho = -1/m mod b */
    *rho = ((sp_digit)1 << 59) - x;
}

/* Multiply a by scalar b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_4096_mul_d_70(sp_digit* r, const sp_digit* a,
    sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t = 0;
    int i;

    for (i = 0; i < 70; i++) {
        t += tb * a[i];
        r[i] = (sp_digit)(t & 0x7ffffffffffffffL);
        t >>= 59;
    }
    r[70] = (sp_digit)t;
}

#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
#if defined(WOLFSSL_HAVE_SP_RSA) && !defined(SP_RSA_PRIVATE_EXP_D)
/* Sub b from a into r. (r = a - b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_4096_sub_35(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 35; i++) {
        r[i] = a[i] - b[i];
    }

    return 0;
}

/* r = 2^n mod m where n is the number of bits to reduce by.
 * Given m must be 4096 bits, just need to subtract.
 *
 * r  A single precision number.
 * m  A single precision number.
 */
static void sp_4096_mont_norm_35(sp_digit* r, const sp_digit* m)
{
    /* Set r = 2^n - 1. */
    int i;

    for (i=0; i<34; i++) {
        r[i] = 0x7ffffffffffffffL;
    }
    r[34] = 0x3ffffffffffL;

    /* r = (2^n - 1) mod n */
    (void)sp_4096_sub_35(r, r, m);

    /* Add one so r = 2^n mod m */
    r[0] += 1;
}

/* Compare a with b in constant time.
 *
 * a  A single precision integer.
 * b  A single precision integer.
 * return -ve, 0 or +ve if a is less than, equal to or greater than b
 * respectively.
 */
static sp_digit sp_4096_cmp_35(const sp_digit* a, const sp_digit* b)
{
    sp_digit r = 0;
    int i;

    for (i=34; i>=0; i--) {
        r |= (a[i] - b[i]) & ~(((sp_digit)0 - r) >> 58);
    }

    return r;
}

/* Conditionally subtract b from a using the mask m.
 * m is -1 to subtract and 0 when not.
 *
 * r  A single precision number representing condition subtract result.
 * a  A single precision number to subtract from.
 * b  A single precision number to subtract.
 * m  Mask value to apply.
 */
static void sp_4096_cond_sub_35(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 35; i++) {
        r[i] = a[i] - (b[i] & m);
    }
}

/* Mul a by scalar b and add into r. (r += a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_4096_mul_add_35(sp_digit* r, const sp_digit* a,
        const sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t[4];
    int i;

    t[0] = 0;
    for (i = 0; i < 32; i += 4) {
        t[0] += (tb * a[i+0]) + r[i+0];
        t[1]  = (tb * a[i+1]) + r[i+1];
        t[2]  = (tb * a[i+2]) + r[i+2];
        t[3]  = (tb * a[i+3]) + r[i+3];
        r[i+0] = t[0] & 0x7ffffffffffffffL;
        t[1] += t[0] >> 59;
        r[i+1] = t[1] & 0x7ffffffffffffffL;
        t[2] += t[1] >> 59;
        r[i+2] = t[2] & 0x7ffffffffffffffL;
        t[3] += t[2] >> 59;
        r[i+3] = t[3] & 0x7ffffffffffffffL;
        t[0]  = t[3] >> 59;
    }
    t[0] += (tb * a[32]) + r[32];
    t[1]  = (tb * a[33]) + r[33];
    t[2]  = (tb * a[34]) + r[34];
    r[32] = t[0] & 0x7ffffffffffffffL;
    t[1] += t[0] >> 59;
    r[33] = t[1] & 0x7ffffffffffffffL;
    t[2] += t[1] >> 59;
    r[34] = t[2] & 0x7ffffffffffffffL;
    r[35] +=  (sp_digit)(t[2] >> 59);
}

/* Shift the result in the high 2048 bits down to the bottom.
 *
 * r  A single precision number.
 * a  A single precision number.
 */
static void sp_4096_mont_shift_35(sp_digit* r, const sp_digit* a)
{
    int i;
    sp_int128 n = a[34] >> 42;
    n += ((sp_int128)a[35]) << 17;

    for (i = 0; i < 34; i++) {
        r[i] = n & 0x7ffffffffffffffL;
        n >>= 59;
        n += ((sp_int128)a[36 + i]) << 17;
    }
    r[34] = (sp_digit)n;
    XMEMSET(&r[35], 0, sizeof(*r) * 35U);
}

/* Reduce the number back to 4096 bits using Montgomery reduction.
 *
 * a   A single precision number to reduce in place.
 * m   The single precision number representing the modulus.
 * mp  The digit representing the negative inverse of m mod 2^n.
 */
static void sp_4096_mont_reduce_35(sp_digit* a, const sp_digit* m, sp_digit mp)
{
    int i;
    sp_digit mu;
    sp_digit over;

    sp_4096_norm_35(a + 35);

    for (i=0; i<34; i++) {
        mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x7ffffffffffffffL;
        sp_4096_mul_add_35(a+i, m, mu);
        a[i+1] += a[i] >> 59;
    }
    mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x3ffffffffffL;
    sp_4096_mul_add_35(a+i, m, mu);
    a[i+1] += a[i] >> 59;
    a[i] &= 0x7ffffffffffffffL;
    sp_4096_mont_shift_35(a, a);
    over = a[34] - m[34];
    sp_4096_cond_sub_35(a, a, m, ~((over - 1) >> 63));
    sp_4096_norm_35(a);
}

/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_4096_mul_35(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    int i;
    int imax;
    int k;
    sp_uint128 c;
    sp_uint128 lo;

    c = ((sp_uint128)a[34]) * b[34];
    r[69] = (sp_digit)(c >> 59);
    c &= 0x7ffffffffffffffL;
    for (k = 67; k >= 0; k--) {
        if (k >= 35) {
            i = k - 34;
            imax = 34;
        }
        else {
            i = 0;
            imax = k;
        }
        lo = 0;
        for (; i <= imax; i++) {
            lo += ((sp_uint128)a[i]) * b[k - i];
        }
        c += lo >> 59;
        r[k + 2] += (sp_digit)(c >> 59);
        r[k + 1]  = (sp_digit)(c & 0x7ffffffffffffffL);
        c = lo & 0x7ffffffffffffffL;
    }
    r[0] = (sp_digit)c;
}

/* Multiply two Montgomery form numbers mod the modulus (prime).
 * (r = a * b mod m)
 *
 * r   Result of multiplication.
 * a   First number to multiply in Montgomery form.
 * b   Second number to multiply in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_4096_mont_mul_35(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit* m, sp_digit mp)
{
    sp_4096_mul_35(r, a, b);
    sp_4096_mont_reduce_35(r, m, mp);
}

/* Square a and put result in r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_4096_sqr_35(sp_digit* r, const sp_digit* a)
{
    int i;
    int imax;
    int k;
    sp_uint128 c;
    sp_uint128 t;

    c = ((sp_uint128)a[34]) * a[34];
    r[69] = (sp_digit)(c >> 59);
    c = (c & 0x7ffffffffffffffL) << 59;
    for (k = 67; k >= 0; k--) {
        i = (k + 1) / 2;
        if ((k & 1) == 0) {
           c += ((sp_uint128)a[i]) * a[i];
           i++;
        }
        if (k < 34) {
            imax = k;
        }
        else {
            imax = 34;
        }
        t = 0;
        for (; i <= imax; i++) {
            t += ((sp_uint128)a[i]) * a[k - i];
        }
        c += t * 2;

        r[k + 2] += (sp_digit) (c >> 118);
        r[k + 1]  = (sp_digit)((c >> 59) & 0x7ffffffffffffffL);
        c = (c & 0x7ffffffffffffffL) << 59;
    }
    r[0] = (sp_digit)(c >> 59);
}

/* Square the Montgomery form number. (r = a * a mod m)
 *
 * r   Result of squaring.
 * a   Number to square in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_4096_mont_sqr_35(sp_digit* r, const sp_digit* a,
        const sp_digit* m, sp_digit mp)
{
    sp_4096_sqr_35(r, a);
    sp_4096_mont_reduce_35(r, m, mp);
}

/* Multiply a by scalar b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_4096_mul_d_35(sp_digit* r, const sp_digit* a,
    sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t = 0;
    int i;

    for (i = 0; i < 35; i++) {
        t += tb * a[i];
        r[i] = (sp_digit)(t & 0x7ffffffffffffffL);
        t >>= 59;
    }
    r[35] = (sp_digit)t;
}

#ifdef WOLFSSL_SP_SMALL
/* Conditionally add a and b using the mask m.
 * m is -1 to add and 0 when not.
 *
 * r  A single precision number representing conditional add result.
 * a  A single precision number to add with.
 * b  A single precision number to add.
 * m  Mask value to apply.
 */
static void sp_4096_cond_add_35(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 35; i++) {
        r[i] = a[i] + (b[i] & m);
    }
}
#endif /* WOLFSSL_SP_SMALL */

/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_4096_add_35(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 35; i++) {
        r[i] = a[i] + b[i];
    }

    return 0;
}

SP_NOINLINE static void sp_4096_rshift_35(sp_digit* r, const sp_digit* a,
        byte n)
{
    int i;

    for (i=0; i<34; i++) {
        r[i] = ((a[i] >> n) | (a[i + 1] << (59 - n))) & 0x7ffffffffffffffL;
    }
    r[34] = a[34] >> n;
}

static WC_INLINE sp_digit sp_4096_div_word_35(sp_digit d1, sp_digit d0,
    sp_digit div)
{
#ifdef SP_USE_DIVTI3
    sp_int128 d = ((sp_int128)d1 << 59) + d0;

    return d / div;
#elif defined(__x86_64__) || defined(__i386__)
    sp_int128 d = ((sp_int128)d1 << 59) + d0;
    sp_uint64 lo = (sp_uint64)d;
    sp_digit hi = (sp_digit)(d >> 64);

    __asm__ __volatile__ (
        "idiv %2"
        : "+a" (lo)
        : "d" (hi), "r" (div)
        : "cc"
    );

    return (sp_digit)lo;
#elif !defined(__aarch64__) &&  !defined(SP_DIV_WORD_USE_DIV)
    sp_int128 d = ((sp_int128)d1 << 59) + d0;
    sp_digit dv = (div >> 1) + 1;
    sp_digit t1 = (sp_digit)(d >> 59);
    sp_digit t0 = (sp_digit)(d & 0x7ffffffffffffffL);
    sp_digit t2;
    sp_digit sign;
    sp_digit r;
    int i;
    sp_int128 m;

    r = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
    t1 -= dv & (0 - r);
    for (i = 57; i >= 1; i--) {
        t1 += t1 + (((sp_uint64)t0 >> 58) & 1);
        t0 <<= 1;
        t2 = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
        r += r + t2;
        t1 -= dv & (0 - t2);
        t1 += t2;
    }
    r += r + 1;

    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 59);
    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 118) - (sp_digit)(d >> 118);

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;
   return r;
#else
    sp_int128 d = ((sp_int128)d1 << 59) + d0;
    sp_digit r = 0;
    sp_digit t;
    sp_digit dv = (div >> 28) + 1;

    t = (sp_digit)(d >> 56);
    t = (t / dv) << 28;
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)(d >> 25);
    t = t / (dv << 3);
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)d;
    t = t / div;
    r += t;
    d -= (sp_int128)t * div;
    return r;
#endif
}
static WC_INLINE sp_digit sp_4096_word_div_word_35(sp_digit d, sp_digit div)
{
#if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__) || \
    defined(SP_DIV_WORD_USE_DIV)
    return d / div;
#else
    return (sp_digit)((sp_uint64)(div - d) >> 63);
#endif
}
/* Divide d in a and put remainder into r (m*d + r = a)
 * m is not calculated as it is not needed at this time.
 *
 * Full implementation.
 *
 * a  Number to be divided.
 * d  Number to divide with.
 * m  Multiplier result.
 * r  Remainder from the division.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_4096_div_35(const sp_digit* a, const sp_digit* d,
        const sp_digit* m, sp_digit* r)
{
    int i;
#ifndef WOLFSSL_SP_DIV_64
#endif
    sp_digit dv;
    sp_digit r1;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* t1 = NULL;
#else
    sp_digit t1[4 * 35 + 3];
#endif
    sp_digit* t2 = NULL;
    sp_digit* sd = NULL;
    int err = MP_OKAY;

    (void)m;

#ifdef WOLFSSL_SP_SMALL_STACK
    t1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * (4 * 35 + 3), NULL,
                                                       DYNAMIC_TYPE_TMP_BUFFER);
    if (t1 == NULL)
        err = MEMORY_E;
#endif

    (void)m;

    if (err == MP_OKAY) {
        t2 = t1 + 70 + 1;
        sd = t2 + 35 + 1;

        sp_4096_mul_d_35(sd, d, (sp_digit)1 << 17);
        sp_4096_mul_d_70(t1, a, (sp_digit)1 << 17);
        dv = sd[34];
        t1[35 + 35] += t1[35 + 35 - 1] >> 59;
        t1[35 + 35 - 1] &= 0x7ffffffffffffffL;
        for (i=35; i>=0; i--) {
            r1 = sp_4096_div_word_35(t1[35 + i], t1[35 + i - 1], dv);

            sp_4096_mul_d_35(t2, sd, r1);
            (void)sp_4096_sub_35(&t1[i], &t1[i], t2);
            sp_4096_norm_35(&t1[i]);
            t1[35 + i] -= t2[35];
            t1[35 + i] += t1[35 + i - 1] >> 59;
            t1[35 + i - 1] &= 0x7ffffffffffffffL;
            r1 = sp_4096_div_word_35(-t1[35 + i], -t1[35 + i - 1], dv);
            r1 -= t1[35 + i];
            sp_4096_mul_d_35(t2, sd, r1);
            (void)sp_4096_add_35(&t1[i], &t1[i], t2);
            t1[35 + i] += t1[35 + i - 1] >> 59;
            t1[35 + i - 1] &= 0x7ffffffffffffffL;
        }
        t1[35 - 1] += t1[35 - 2] >> 59;
        t1[35 - 2] &= 0x7ffffffffffffffL;
        r1 = sp_4096_word_div_word_35(t1[35 - 1], dv);

        sp_4096_mul_d_35(t2, sd, r1);
        sp_4096_sub_35(t1, t1, t2);
        XMEMCPY(r, t1, sizeof(*r) * 70U);
        for (i=0; i<34; i++) {
            r[i+1] += r[i] >> 59;
            r[i] &= 0x7ffffffffffffffL;
        }
        sp_4096_cond_add_35(r, r, sd, r[34] >> 63);

        sp_4096_norm_35(r);
        sp_4096_rshift_35(r, r, 17);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t1 != NULL)
        XFREE(t1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
}

/* Reduce a modulo m into r. (r = a mod m)
 *
 * r  A single precision number that is the reduced result.
 * a  A single precision number that is to be reduced.
 * m  A single precision number that is the modulus to reduce with.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_4096_mod_35(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    return sp_4096_div_35(a, m, NULL, r);
}

/* Modular exponentiate a to the e mod m. (r = a^e mod m)
 *
 * r     A single precision number that is the result of the operation.
 * a     A single precision number being exponentiated.
 * e     A single precision number that is the exponent.
 * bits  The number of bits in the exponent.
 * m     A single precision number that is the modulus.
 * returns  0 on success.
 * returns  MEMORY_E on dynamic memory allocation failure.
 * returns  MP_VAL when base is even or exponent is 0.
 */
static int sp_4096_mod_exp_35(sp_digit* r, const sp_digit* a, const sp_digit* e,
    int bits, const sp_digit* m, int reduceA)
{
#if defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_FAST_MODEXP)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 70];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 35 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 35 * 2);
            XMEMSET(t[i], 0, sizeof(sp_digit) * 35U * 2U);
        }

        sp_4096_mont_setup(m, &mp);
        sp_4096_mont_norm_35(norm, m);

        if (reduceA != 0) {
            err = sp_4096_mod_35(t[1], a, m);
        }
        else {
            XMEMCPY(t[1], a, sizeof(sp_digit) * 35U);
        }
    }
    if (err == MP_OKAY) {
        sp_4096_mul_35(t[1], t[1], norm);
        err = sp_4096_mod_35(t[1], t[1], m);
    }

    if (err == MP_OKAY) {
        i = bits / 59;
        c = bits % 59;
        n = e[i--] << (59 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 59;
            }

            y = (int)((n >> 58) & 1);
            n <<= 1;

            sp_4096_mont_mul_35(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 35 * 2);
            sp_4096_mont_sqr_35(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 35 * 2);
        }

        sp_4096_mont_reduce_35(t[0], m, mp);
        n = sp_4096_cmp_35(t[0], m);
        sp_4096_cond_sub_35(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 35 * 2);

    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#elif !defined(WC_NO_CACHE_RESISTANT)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 70];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 35 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 35 * 2);
        }

        sp_4096_mont_setup(m, &mp);
        sp_4096_mont_norm_35(norm, m);

        if (reduceA != 0) {
            err = sp_4096_mod_35(t[1], a, m);
            if (err == MP_OKAY) {
                sp_4096_mul_35(t[1], t[1], norm);
                err = sp_4096_mod_35(t[1], t[1], m);
            }
        }
        else {
            sp_4096_mul_35(t[1], a, norm);
            err = sp_4096_mod_35(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        i = bits / 59;
        c = bits % 59;
        n = e[i--] << (59 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 59;
            }

            y = (int)((n >> 58) & 1);
            n <<= 1;

            sp_4096_mont_mul_35(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 35 * 2);
            sp_4096_mont_sqr_35(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 35 * 2);
        }

        sp_4096_mont_reduce_35(t[0], m, mp);
        n = sp_4096_cmp_35(t[0], m);
        sp_4096_cond_sub_35(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 35 * 2);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[(32 * 70) + 70];
#endif
    sp_digit* t[32];
    sp_digit* rt = NULL;
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * ((32 * 70) + 70), NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<32; i++)
            t[i] = td + i * 70;
        rt = td + 2240;

        sp_4096_mont_setup(m, &mp);
        sp_4096_mont_norm_35(norm, m);

        if (reduceA != 0) {
            err = sp_4096_mod_35(t[1], a, m);
            if (err == MP_OKAY) {
                sp_4096_mul_35(t[1], t[1], norm);
                err = sp_4096_mod_35(t[1], t[1], m);
            }
        }
        else {
            sp_4096_mul_35(t[1], a, norm);
            err = sp_4096_mod_35(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        sp_4096_mont_sqr_35(t[ 2], t[ 1], m, mp);
        sp_4096_mont_mul_35(t[ 3], t[ 2], t[ 1], m, mp);
        sp_4096_mont_sqr_35(t[ 4], t[ 2], m, mp);
        sp_4096_mont_mul_35(t[ 5], t[ 3], t[ 2], m, mp);
        sp_4096_mont_sqr_35(t[ 6], t[ 3], m, mp);
        sp_4096_mont_mul_35(t[ 7], t[ 4], t[ 3], m, mp);
        sp_4096_mont_sqr_35(t[ 8], t[ 4], m, mp);
        sp_4096_mont_mul_35(t[ 9], t[ 5], t[ 4], m, mp);
        sp_4096_mont_sqr_35(t[10], t[ 5], m, mp);
        sp_4096_mont_mul_35(t[11], t[ 6], t[ 5], m, mp);
        sp_4096_mont_sqr_35(t[12], t[ 6], m, mp);
        sp_4096_mont_mul_35(t[13], t[ 7], t[ 6], m, mp);
        sp_4096_mont_sqr_35(t[14], t[ 7], m, mp);
        sp_4096_mont_mul_35(t[15], t[ 8], t[ 7], m, mp);
        sp_4096_mont_sqr_35(t[16], t[ 8], m, mp);
        sp_4096_mont_mul_35(t[17], t[ 9], t[ 8], m, mp);
        sp_4096_mont_sqr_35(t[18], t[ 9], m, mp);
        sp_4096_mont_mul_35(t[19], t[10], t[ 9], m, mp);
        sp_4096_mont_sqr_35(t[20], t[10], m, mp);
        sp_4096_mont_mul_35(t[21], t[11], t[10], m, mp);
        sp_4096_mont_sqr_35(t[22], t[11], m, mp);
        sp_4096_mont_mul_35(t[23], t[12], t[11], m, mp);
        sp_4096_mont_sqr_35(t[24], t[12], m, mp);
        sp_4096_mont_mul_35(t[25], t[13], t[12], m, mp);
        sp_4096_mont_sqr_35(t[26], t[13], m, mp);
        sp_4096_mont_mul_35(t[27], t[14], t[13], m, mp);
        sp_4096_mont_sqr_35(t[28], t[14], m, mp);
        sp_4096_mont_mul_35(t[29], t[15], t[14], m, mp);
        sp_4096_mont_sqr_35(t[30], t[15], m, mp);
        sp_4096_mont_mul_35(t[31], t[16], t[15], m, mp);

        bits = ((bits + 4) / 5) * 5;
        i = ((bits + 58) / 59) - 1;
        c = bits % 59;
        if (c == 0) {
            c = 59;
        }
        if (i < 35) {
            n = e[i--] << (64 - c);
        }
        else {
            n = 0;
            i--;
        }
        if (c < 5) {
            n |= e[i--] << (5 - c);
            c += 59;
        }
        y = (int)((n >> 59) & 0x1f);
        n <<= 5;
        c -= 5;
        XMEMCPY(rt, t[y], sizeof(sp_digit) * 70);
        while ((i >= 0) || (c >= 5)) {
            if (c >= 5) {
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c -= 5;
            }
            else if (c == 0) {
                n = e[i--] << 5;
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c = 54;
            }
            else {
                y = (byte)((n >> 59) & 0x1f);
                n = e[i--] << 5;
                c = 5 - c;
                y |= (byte)((n >> (64 - c)) & ((1 << c) - 1));
                n <<= c;
                c = 59 - c;
            }

            sp_4096_mont_sqr_35(rt, rt, m, mp);
            sp_4096_mont_sqr_35(rt, rt, m, mp);
            sp_4096_mont_sqr_35(rt, rt, m, mp);
            sp_4096_mont_sqr_35(rt, rt, m, mp);
            sp_4096_mont_sqr_35(rt, rt, m, mp);

            sp_4096_mont_mul_35(rt, rt, t[y], m, mp);
        }

        sp_4096_mont_reduce_35(rt, m, mp);
        n = sp_4096_cmp_35(rt, m);
        sp_4096_cond_sub_35(rt, rt, m, ~(n >> 63));
        XMEMCPY(r, rt, sizeof(sp_digit) * 70);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#endif
}

#endif /* WOLFSSL_HAVE_SP_RSA & !SP_RSA_PRIVATE_EXP_D */
#endif /* (WOLFSSL_HAVE_SP_RSA | WOLFSSL_HAVE_SP_DH) & !WOLFSSL_RSA_PUBLIC_ONLY */

/* Sub b from a into r. (r = a - b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_4096_sub_70(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 70; i++) {
        r[i] = a[i] - b[i];
    }

    return 0;
}

/* r = 2^n mod m where n is the number of bits to reduce by.
 * Given m must be 4096 bits, just need to subtract.
 *
 * r  A single precision number.
 * m  A single precision number.
 */
static void sp_4096_mont_norm_70(sp_digit* r, const sp_digit* m)
{
    /* Set r = 2^n - 1. */
    int i;

    for (i=0; i<69; i++) {
        r[i] = 0x7ffffffffffffffL;
    }
    r[69] = 0x1ffffffL;

    /* r = (2^n - 1) mod n */
    (void)sp_4096_sub_70(r, r, m);

    /* Add one so r = 2^n mod m */
    r[0] += 1;
}

/* Compare a with b in constant time.
 *
 * a  A single precision integer.
 * b  A single precision integer.
 * return -ve, 0 or +ve if a is less than, equal to or greater than b
 * respectively.
 */
static sp_digit sp_4096_cmp_70(const sp_digit* a, const sp_digit* b)
{
    sp_digit r = 0;
    int i;

    for (i=69; i>=0; i--) {
        r |= (a[i] - b[i]) & ~(((sp_digit)0 - r) >> 58);
    }

    return r;
}

/* Conditionally subtract b from a using the mask m.
 * m is -1 to subtract and 0 when not.
 *
 * r  A single precision number representing condition subtract result.
 * a  A single precision number to subtract from.
 * b  A single precision number to subtract.
 * m  Mask value to apply.
 */
static void sp_4096_cond_sub_70(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 70; i++) {
        r[i] = a[i] - (b[i] & m);
    }
}

/* Mul a by scalar b and add into r. (r += a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_4096_mul_add_70(sp_digit* r, const sp_digit* a,
        const sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t[4];
    int i;

    t[0] = 0;
    for (i = 0; i < 68; i += 4) {
        t[0] += (tb * a[i+0]) + r[i+0];
        t[1]  = (tb * a[i+1]) + r[i+1];
        t[2]  = (tb * a[i+2]) + r[i+2];
        t[3]  = (tb * a[i+3]) + r[i+3];
        r[i+0] = t[0] & 0x7ffffffffffffffL;
        t[1] += t[0] >> 59;
        r[i+1] = t[1] & 0x7ffffffffffffffL;
        t[2] += t[1] >> 59;
        r[i+2] = t[2] & 0x7ffffffffffffffL;
        t[3] += t[2] >> 59;
        r[i+3] = t[3] & 0x7ffffffffffffffL;
        t[0]  = t[3] >> 59;
    }
    t[0] += (tb * a[68]) + r[68];
    t[1]  = (tb * a[69]) + r[69];
    r[68] = t[0] & 0x7ffffffffffffffL;
    t[1] += t[0] >> 59;
    r[69] = t[1] & 0x7ffffffffffffffL;
    r[70] +=  (sp_digit)(t[1] >> 59);
}

/* Shift the result in the high 4096 bits down to the bottom.
 *
 * r  A single precision number.
 * a  A single precision number.
 */
static void sp_4096_mont_shift_70(sp_digit* r, const sp_digit* a)
{
    int i;
    sp_int128 n = a[69] >> 25;
    n += ((sp_int128)a[70]) << 34;

    for (i = 0; i < 69; i++) {
        r[i] = n & 0x7ffffffffffffffL;
        n >>= 59;
        n += ((sp_int128)a[71 + i]) << 34;
    }
    r[69] = (sp_digit)n;
    XMEMSET(&r[70], 0, sizeof(*r) * 70U);
}

/* Reduce the number back to 4096 bits using Montgomery reduction.
 *
 * a   A single precision number to reduce in place.
 * m   The single precision number representing the modulus.
 * mp  The digit representing the negative inverse of m mod 2^n.
 */
static void sp_4096_mont_reduce_70(sp_digit* a, const sp_digit* m, sp_digit mp)
{
    int i;
    sp_digit mu;
    sp_digit over;

    sp_4096_norm_70(a + 70);

#ifdef WOLFSSL_SP_DH
    if (mp != 1) {
        for (i=0; i<69; i++) {
            mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x7ffffffffffffffL;
            sp_4096_mul_add_70(a+i, m, mu);
            a[i+1] += a[i] >> 59;
        }
        mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x1ffffffL;
        sp_4096_mul_add_70(a+i, m, mu);
        a[i+1] += a[i] >> 59;
        a[i] &= 0x7ffffffffffffffL;
    }
    else {
        for (i=0; i<69; i++) {
            mu = a[i] & 0x7ffffffffffffffL;
            sp_4096_mul_add_70(a+i, m, mu);
            a[i+1] += a[i] >> 59;
        }
        mu = a[i] & 0x1ffffffL;
        sp_4096_mul_add_70(a+i, m, mu);
        a[i+1] += a[i] >> 59;
        a[i] &= 0x7ffffffffffffffL;
    }
#else
    for (i=0; i<69; i++) {
        mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x7ffffffffffffffL;
        sp_4096_mul_add_70(a+i, m, mu);
        a[i+1] += a[i] >> 59;
    }
    mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x1ffffffL;
    sp_4096_mul_add_70(a+i, m, mu);
    a[i+1] += a[i] >> 59;
    a[i] &= 0x7ffffffffffffffL;
#endif
    sp_4096_mont_shift_70(a, a);
    over = a[69] - m[69];
    sp_4096_cond_sub_70(a, a, m, ~((over - 1) >> 63));
    sp_4096_norm_70(a);
}

/* Multiply two Montgomery form numbers mod the modulus (prime).
 * (r = a * b mod m)
 *
 * r   Result of multiplication.
 * a   First number to multiply in Montgomery form.
 * b   Second number to multiply in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_4096_mont_mul_70(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit* m, sp_digit mp)
{
    sp_4096_mul_70(r, a, b);
    sp_4096_mont_reduce_70(r, m, mp);
}

/* Square the Montgomery form number. (r = a * a mod m)
 *
 * r   Result of squaring.
 * a   Number to square in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_4096_mont_sqr_70(sp_digit* r, const sp_digit* a,
        const sp_digit* m, sp_digit mp)
{
    sp_4096_sqr_70(r, a);
    sp_4096_mont_reduce_70(r, m, mp);
}

/* Multiply a by scalar b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_4096_mul_d_140(sp_digit* r, const sp_digit* a,
    sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t = 0;
    int i;

    for (i = 0; i < 140; i++) {
        t += tb * a[i];
        r[i] = (sp_digit)(t & 0x7ffffffffffffffL);
        t >>= 59;
    }
    r[140] = (sp_digit)t;
}

#ifdef WOLFSSL_SP_SMALL
/* Conditionally add a and b using the mask m.
 * m is -1 to add and 0 when not.
 *
 * r  A single precision number representing conditional add result.
 * a  A single precision number to add with.
 * b  A single precision number to add.
 * m  Mask value to apply.
 */
static void sp_4096_cond_add_70(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 70; i++) {
        r[i] = a[i] + (b[i] & m);
    }
}
#endif /* WOLFSSL_SP_SMALL */

/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_4096_add_70(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 70; i++) {
        r[i] = a[i] + b[i];
    }

    return 0;
}

SP_NOINLINE static void sp_4096_rshift_70(sp_digit* r, const sp_digit* a,
        byte n)
{
    int i;

    for (i=0; i<69; i++) {
        r[i] = ((a[i] >> n) | (a[i + 1] << (59 - n))) & 0x7ffffffffffffffL;
    }
    r[69] = a[69] >> n;
}

static WC_INLINE sp_digit sp_4096_div_word_70(sp_digit d1, sp_digit d0,
    sp_digit div)
{
#ifdef SP_USE_DIVTI3
    sp_int128 d = ((sp_int128)d1 << 59) + d0;

    return d / div;
#elif defined(__x86_64__) || defined(__i386__)
    sp_int128 d = ((sp_int128)d1 << 59) + d0;
    sp_uint64 lo = (sp_uint64)d;
    sp_digit hi = (sp_digit)(d >> 64);

    __asm__ __volatile__ (
        "idiv %2"
        : "+a" (lo)
        : "d" (hi), "r" (div)
        : "cc"
    );

    return (sp_digit)lo;
#elif !defined(__aarch64__) &&  !defined(SP_DIV_WORD_USE_DIV)
    sp_int128 d = ((sp_int128)d1 << 59) + d0;
    sp_digit dv = (div >> 1) + 1;
    sp_digit t1 = (sp_digit)(d >> 59);
    sp_digit t0 = (sp_digit)(d & 0x7ffffffffffffffL);
    sp_digit t2;
    sp_digit sign;
    sp_digit r;
    int i;
    sp_int128 m;

    r = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
    t1 -= dv & (0 - r);
    for (i = 57; i >= 1; i--) {
        t1 += t1 + (((sp_uint64)t0 >> 58) & 1);
        t0 <<= 1;
        t2 = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
        r += r + t2;
        t1 -= dv & (0 - t2);
        t1 += t2;
    }
    r += r + 1;

    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 59);
    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 118) - (sp_digit)(d >> 118);

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;
   return r;
#else
    sp_int128 d = ((sp_int128)d1 << 59) + d0;
    sp_digit r = 0;
    sp_digit t;
    sp_digit dv = (div >> 28) + 1;

    t = (sp_digit)(d >> 56);
    t = (t / dv) << 28;
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)(d >> 25);
    t = t / (dv << 3);
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)d;
    t = t / div;
    r += t;
    d -= (sp_int128)t * div;
    return r;
#endif
}
static WC_INLINE sp_digit sp_4096_word_div_word_70(sp_digit d, sp_digit div)
{
#if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__) || \
    defined(SP_DIV_WORD_USE_DIV)
    return d / div;
#else
    return (sp_digit)((sp_uint64)(div - d) >> 63);
#endif
}
/* Divide d in a and put remainder into r (m*d + r = a)
 * m is not calculated as it is not needed at this time.
 *
 * Full implementation.
 *
 * a  Number to be divided.
 * d  Number to divide with.
 * m  Multiplier result.
 * r  Remainder from the division.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_4096_div_70(const sp_digit* a, const sp_digit* d,
        const sp_digit* m, sp_digit* r)
{
    int i;
#ifndef WOLFSSL_SP_DIV_64
#endif
    sp_digit dv;
    sp_digit r1;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* t1 = NULL;
#else
    sp_digit t1[4 * 70 + 3];
#endif
    sp_digit* t2 = NULL;
    sp_digit* sd = NULL;
    int err = MP_OKAY;

    (void)m;

#ifdef WOLFSSL_SP_SMALL_STACK
    t1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * (4 * 70 + 3), NULL,
                                                       DYNAMIC_TYPE_TMP_BUFFER);
    if (t1 == NULL)
        err = MEMORY_E;
#endif

    (void)m;

    if (err == MP_OKAY) {
        t2 = t1 + 140 + 1;
        sd = t2 + 70 + 1;

        sp_4096_mul_d_70(sd, d, (sp_digit)1 << 34);
        sp_4096_mul_d_140(t1, a, (sp_digit)1 << 34);
        dv = sd[69];
        t1[70 + 70] += t1[70 + 70 - 1] >> 59;
        t1[70 + 70 - 1] &= 0x7ffffffffffffffL;
        for (i=70; i>=0; i--) {
            r1 = sp_4096_div_word_70(t1[70 + i], t1[70 + i - 1], dv);

            sp_4096_mul_d_70(t2, sd, r1);
            (void)sp_4096_sub_70(&t1[i], &t1[i], t2);
            sp_4096_norm_70(&t1[i]);
            t1[70 + i] -= t2[70];
            t1[70 + i] += t1[70 + i - 1] >> 59;
            t1[70 + i - 1] &= 0x7ffffffffffffffL;
            r1 = sp_4096_div_word_70(-t1[70 + i], -t1[70 + i - 1], dv);
            r1 -= t1[70 + i];
            sp_4096_mul_d_70(t2, sd, r1);
            (void)sp_4096_add_70(&t1[i], &t1[i], t2);
            t1[70 + i] += t1[70 + i - 1] >> 59;
            t1[70 + i - 1] &= 0x7ffffffffffffffL;
        }
        t1[70 - 1] += t1[70 - 2] >> 59;
        t1[70 - 2] &= 0x7ffffffffffffffL;
        r1 = sp_4096_word_div_word_70(t1[70 - 1], dv);

        sp_4096_mul_d_70(t2, sd, r1);
        sp_4096_sub_70(t1, t1, t2);
        XMEMCPY(r, t1, sizeof(*r) * 140U);
        for (i=0; i<69; i++) {
            r[i+1] += r[i] >> 59;
            r[i] &= 0x7ffffffffffffffL;
        }
        sp_4096_cond_add_70(r, r, sd, r[69] >> 63);

        sp_4096_norm_70(r);
        sp_4096_rshift_70(r, r, 34);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t1 != NULL)
        XFREE(t1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
}

/* Reduce a modulo m into r. (r = a mod m)
 *
 * r  A single precision number that is the reduced result.
 * a  A single precision number that is to be reduced.
 * m  A single precision number that is the modulus to reduce with.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_4096_mod_70(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    return sp_4096_div_70(a, m, NULL, r);
}

#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(WOLFSSL_HAVE_SP_DH)
/* Modular exponentiate a to the e mod m. (r = a^e mod m)
 *
 * r     A single precision number that is the result of the operation.
 * a     A single precision number being exponentiated.
 * e     A single precision number that is the exponent.
 * bits  The number of bits in the exponent.
 * m     A single precision number that is the modulus.
 * returns  0 on success.
 * returns  MEMORY_E on dynamic memory allocation failure.
 * returns  MP_VAL when base is even or exponent is 0.
 */
static int sp_4096_mod_exp_70(sp_digit* r, const sp_digit* a, const sp_digit* e,
    int bits, const sp_digit* m, int reduceA)
{
#if defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_FAST_MODEXP)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 140];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 70 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 70 * 2);
            XMEMSET(t[i], 0, sizeof(sp_digit) * 70U * 2U);
        }

        sp_4096_mont_setup(m, &mp);
        sp_4096_mont_norm_70(norm, m);

        if (reduceA != 0) {
            err = sp_4096_mod_70(t[1], a, m);
        }
        else {
            XMEMCPY(t[1], a, sizeof(sp_digit) * 70U);
        }
    }
    if (err == MP_OKAY) {
        sp_4096_mul_70(t[1], t[1], norm);
        err = sp_4096_mod_70(t[1], t[1], m);
    }

    if (err == MP_OKAY) {
        i = bits / 59;
        c = bits % 59;
        n = e[i--] << (59 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 59;
            }

            y = (int)((n >> 58) & 1);
            n <<= 1;

            sp_4096_mont_mul_70(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 70 * 2);
            sp_4096_mont_sqr_70(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 70 * 2);
        }

        sp_4096_mont_reduce_70(t[0], m, mp);
        n = sp_4096_cmp_70(t[0], m);
        sp_4096_cond_sub_70(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 70 * 2);

    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#elif !defined(WC_NO_CACHE_RESISTANT)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 140];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 70 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 70 * 2);
        }

        sp_4096_mont_setup(m, &mp);
        sp_4096_mont_norm_70(norm, m);

        if (reduceA != 0) {
            err = sp_4096_mod_70(t[1], a, m);
            if (err == MP_OKAY) {
                sp_4096_mul_70(t[1], t[1], norm);
                err = sp_4096_mod_70(t[1], t[1], m);
            }
        }
        else {
            sp_4096_mul_70(t[1], a, norm);
            err = sp_4096_mod_70(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        i = bits / 59;
        c = bits % 59;
        n = e[i--] << (59 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 59;
            }

            y = (int)((n >> 58) & 1);
            n <<= 1;

            sp_4096_mont_mul_70(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 70 * 2);
            sp_4096_mont_sqr_70(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 70 * 2);
        }

        sp_4096_mont_reduce_70(t[0], m, mp);
        n = sp_4096_cmp_70(t[0], m);
        sp_4096_cond_sub_70(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 70 * 2);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[(16 * 140) + 140];
#endif
    sp_digit* t[16];
    sp_digit* rt = NULL;
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * ((16 * 140) + 140), NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<16; i++)
            t[i] = td + i * 140;
        rt = td + 2240;

        sp_4096_mont_setup(m, &mp);
        sp_4096_mont_norm_70(norm, m);

        if (reduceA != 0) {
            err = sp_4096_mod_70(t[1], a, m);
            if (err == MP_OKAY) {
                sp_4096_mul_70(t[1], t[1], norm);
                err = sp_4096_mod_70(t[1], t[1], m);
            }
        }
        else {
            sp_4096_mul_70(t[1], a, norm);
            err = sp_4096_mod_70(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        sp_4096_mont_sqr_70(t[ 2], t[ 1], m, mp);
        sp_4096_mont_mul_70(t[ 3], t[ 2], t[ 1], m, mp);
        sp_4096_mont_sqr_70(t[ 4], t[ 2], m, mp);
        sp_4096_mont_mul_70(t[ 5], t[ 3], t[ 2], m, mp);
        sp_4096_mont_sqr_70(t[ 6], t[ 3], m, mp);
        sp_4096_mont_mul_70(t[ 7], t[ 4], t[ 3], m, mp);
        sp_4096_mont_sqr_70(t[ 8], t[ 4], m, mp);
        sp_4096_mont_mul_70(t[ 9], t[ 5], t[ 4], m, mp);
        sp_4096_mont_sqr_70(t[10], t[ 5], m, mp);
        sp_4096_mont_mul_70(t[11], t[ 6], t[ 5], m, mp);
        sp_4096_mont_sqr_70(t[12], t[ 6], m, mp);
        sp_4096_mont_mul_70(t[13], t[ 7], t[ 6], m, mp);
        sp_4096_mont_sqr_70(t[14], t[ 7], m, mp);
        sp_4096_mont_mul_70(t[15], t[ 8], t[ 7], m, mp);

        bits = ((bits + 3) / 4) * 4;
        i = ((bits + 58) / 59) - 1;
        c = bits % 59;
        if (c == 0) {
            c = 59;
        }
        if (i < 70) {
            n = e[i--] << (64 - c);
        }
        else {
            n = 0;
            i--;
        }
        if (c < 4) {
            n |= e[i--] << (5 - c);
            c += 59;
        }
        y = (int)((n >> 60) & 0xf);
        n <<= 4;
        c -= 4;
        XMEMCPY(rt, t[y], sizeof(sp_digit) * 140);
        while ((i >= 0) || (c >= 4)) {
            if (c >= 4) {
                y = (byte)((n >> 60) & 0xf);
                n <<= 4;
                c -= 4;
            }
            else if (c == 0) {
                n = e[i--] << 5;
                y = (byte)((n >> 60) & 0xf);
                n <<= 4;
                c = 55;
            }
            else {
                y = (byte)((n >> 60) & 0xf);
                n = e[i--] << 5;
                c = 4 - c;
                y |= (byte)((n >> (64 - c)) & ((1 << c) - 1));
                n <<= c;
                c = 59 - c;
            }

            sp_4096_mont_sqr_70(rt, rt, m, mp);
            sp_4096_mont_sqr_70(rt, rt, m, mp);
            sp_4096_mont_sqr_70(rt, rt, m, mp);
            sp_4096_mont_sqr_70(rt, rt, m, mp);

            sp_4096_mont_mul_70(rt, rt, t[y], m, mp);
        }

        sp_4096_mont_reduce_70(rt, m, mp);
        n = sp_4096_cmp_70(rt, m);
        sp_4096_cond_sub_70(rt, rt, m, ~(n >> 63));
        XMEMCPY(r, rt, sizeof(sp_digit) * 140);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#endif
}

#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
#ifdef WOLFSSL_HAVE_SP_RSA
/* RSA public key operation.
 *
 * in      Array of bytes representing the number to exponentiate, base.
 * inLen   Number of bytes in base.
 * em      Public exponent.
 * mm      Modulus.
 * out     Buffer to hold big-endian bytes of exponentiation result.
 *         Must be at least 512 bytes long.
 * outLen  Number of bytes in result.
 * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
 * an array is too long and MEMORY_E when dynamic memory allocation fails.
 */
int sp_RsaPublic_4096(const byte* in, word32 inLen, const mp_int* em,
    const mp_int* mm, byte* out, word32* outLen)
{
#ifdef WOLFSSL_SP_SMALL
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* a = NULL;
#else
    sp_digit a[70 * 5];
#endif
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    sp_digit* norm = NULL;
    sp_uint64 e[1] = {0};
    sp_digit mp = 0;
    int i;
    int err = MP_OKAY;

    if (*outLen < 512U) {
        err = MP_TO_E;
    }

    if (err == MP_OKAY) {
        if (mp_count_bits(em) > 64) {
            err = MP_READ_E;
        }
        else if (inLen > 512U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 4096) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        a = (sp_digit*)XMALLOC(sizeof(sp_digit) * 70 * 5, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (a == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        r = a + 70 * 2;
        m = r + 70 * 2;
        norm = r;

        sp_4096_from_bin(a, 70, in, inLen);
#if DIGIT_BIT >= 64
        e[0] = (sp_uint64)em->dp[0];
#else
        e[0] = (sp_uint64)em->dp[0];
        if (em->used > 1) {
            e[0] |= ((sp_uint64)em->dp[1]) << DIGIT_BIT;
        }
#endif
        if (e[0] == 0) {
            err = MP_EXPTMOD_E;
        }
    }

    if (err == MP_OKAY) {
        sp_4096_from_mp(m, 70, mm);

        sp_4096_mont_setup(m, &mp);
        sp_4096_mont_norm_70(norm, m);
    }
    if (err == MP_OKAY) {
        sp_4096_mul_70(a, a, norm);
        err = sp_4096_mod_70(a, a, m);
    }
    if (err == MP_OKAY) {
        for (i=63; i>=0; i--) {
            if ((e[0] >> i) != 0) {
                break;
            }
        }

        XMEMCPY(r, a, sizeof(sp_digit) * 70 * 2);
        for (i--; i>=0; i--) {
            sp_4096_mont_sqr_70(r, r, m, mp);

            if (((e[0] >> i) & 1) == 1) {
                sp_4096_mont_mul_70(r, r, a, m, mp);
            }
        }
        sp_4096_mont_reduce_70(r, m, mp);
        mp = sp_4096_cmp_70(r, m);
        sp_4096_cond_sub_70(r, r, m, ~(mp >> 63));

        sp_4096_to_bin_70(r, out);
        *outLen = 512;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (a != NULL)
        XFREE(a, NULL, DYNAMIC_TYPE_RSA);
#endif

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* d = NULL;
#else
    sp_digit d[70 * 5];
#endif
    sp_digit* a = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    sp_uint64 e[1] = {0};
    int err = MP_OKAY;

    if (*outLen < 512U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (mp_count_bits(em) > 64) {
            err = MP_READ_E;
        }
        else if (inLen > 512U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 4096) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 70 * 5, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (d == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        a = d;
        r = a + 70 * 2;
        m = r + 70 * 2;

        sp_4096_from_bin(a, 70, in, inLen);
#if DIGIT_BIT >= 64
        e[0] = (sp_uint64)em->dp[0];
#else
        e[0] = (sp_uint64)em->dp[0];
        if (em->used > 1) {
            e[0] |= ((sp_uint64)em->dp[1]) << DIGIT_BIT;
        }
#endif
        if (e[0] == 0) {
            err = MP_EXPTMOD_E;
        }
    }
    if (err == MP_OKAY) {
        sp_4096_from_mp(m, 70, mm);

        if (e[0] == 0x3) {
            sp_4096_sqr_70(r, a);
            err = sp_4096_mod_70(r, r, m);
            if (err == MP_OKAY) {
                sp_4096_mul_70(r, a, r);
                err = sp_4096_mod_70(r, r, m);
            }
        }
        else {
            sp_digit* norm = r;
            int i;
            sp_digit mp;

            sp_4096_mont_setup(m, &mp);
            sp_4096_mont_norm_70(norm, m);

            sp_4096_mul_70(a, a, norm);
            err = sp_4096_mod_70(a, a, m);

            if (err == MP_OKAY) {
                for (i=63; i>=0; i--) {
                    if ((e[0] >> i) != 0) {
                        break;
                    }
                }

                XMEMCPY(r, a, sizeof(sp_digit) * 140U);
                for (i--; i>=0; i--) {
                    sp_4096_mont_sqr_70(r, r, m, mp);

                    if (((e[0] >> i) & 1) == 1) {
                        sp_4096_mont_mul_70(r, r, a, m, mp);
                    }
                }
                sp_4096_mont_reduce_70(r, m, mp);
                mp = sp_4096_cmp_70(r, m);
                sp_4096_cond_sub_70(r, r, m, ~(mp >> 63));
            }
        }
    }

    if (err == MP_OKAY) {
        sp_4096_to_bin_70(r, out);
        *outLen = 512;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (d != NULL)
        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
#endif

    return err;
#endif /* WOLFSSL_SP_SMALL */
}

#ifndef WOLFSSL_RSA_PUBLIC_ONLY
#if !defined(SP_RSA_PRIVATE_EXP_D) && !defined(RSA_LOW_MEM)
#endif /* !SP_RSA_PRIVATE_EXP_D & !RSA_LOW_MEM */
/* RSA private key operation.
 *
 * in      Array of bytes representing the number to exponentiate, base.
 * inLen   Number of bytes in base.
 * dm      Private exponent.
 * pm      First prime.
 * qm      Second prime.
 * dpm     First prime's CRT exponent.
 * dqm     Second prime's CRT exponent.
 * qim     Inverse of second prime mod p.
 * mm      Modulus.
 * out     Buffer to hold big-endian bytes of exponentiation result.
 *         Must be at least 512 bytes long.
 * outLen  Number of bytes in result.
 * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
 * an array is too long and MEMORY_E when dynamic memory allocation fails.
 */
int sp_RsaPrivate_4096(const byte* in, word32 inLen, const mp_int* dm,
    const mp_int* pm, const mp_int* qm, const mp_int* dpm, const mp_int* dqm,
    const mp_int* qim, const mp_int* mm, byte* out, word32* outLen)
{
#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
#if defined(WOLFSSL_SP_SMALL)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* d = NULL;
#else
    sp_digit  d[70 * 4];
#endif
    sp_digit* a = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)pm;
    (void)qm;
    (void)dpm;
    (void)dqm;
    (void)qim;

    if (*outLen < 512U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (mp_count_bits(dm) > 4096) {
           err = MP_READ_E;
        }
        else if (inLen > 512) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 4096) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 70 * 4, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (d == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        a = d + 70;
        m = a + 140;
        r = a;

        sp_4096_from_bin(a, 70, in, inLen);
        sp_4096_from_mp(d, 70, dm);
        sp_4096_from_mp(m, 70, mm);
        err = sp_4096_mod_exp_70(r, a, d, 4096, m, 0);
    }

    if (err == MP_OKAY) {
        sp_4096_to_bin_70(r, out);
        *outLen = 512;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (d != NULL)
#endif
    {
        /* only "a" and "r" are sensitive and need zeroized (same pointer) */
        if (a != NULL)
            ForceZero(a, sizeof(sp_digit) * 70);
#ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
#endif
    }

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* d = NULL;
#else
    sp_digit d[70 * 4];
#endif
    sp_digit* a = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)pm;
    (void)qm;
    (void)dpm;
    (void)dqm;
    (void)qim;

    if (*outLen < 512U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (mp_count_bits(dm) > 4096) {
            err = MP_READ_E;
        }
        else if (inLen > 512U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 4096) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 70 * 4, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (d == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        a = d + 70;
        m = a + 140;
        r = a;

        sp_4096_from_bin(a, 70, in, inLen);
        sp_4096_from_mp(d, 70, dm);
        sp_4096_from_mp(m, 70, mm);
        err = sp_4096_mod_exp_70(r, a, d, 4096, m, 0);
    }

    if (err == MP_OKAY) {
        sp_4096_to_bin_70(r, out);
        *outLen = 512;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (d != NULL)
#endif
    {
        /* only "a" and "r" are sensitive and need zeroized (same pointer) */
        if (a != NULL)
            ForceZero(a, sizeof(sp_digit) * 70);
#ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
#endif
    }

    return err;
#endif /* WOLFSSL_SP_SMALL */
#else
#if defined(WOLFSSL_SP_SMALL)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* a = NULL;
#else
    sp_digit a[35 * 8];
#endif
    sp_digit* p = NULL;
    sp_digit* dp = NULL;
    sp_digit* dq = NULL;
    sp_digit* qi = NULL;
    sp_digit* tmpa = NULL;
    sp_digit* tmpb = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)dm;
    (void)mm;

    if (*outLen < 512U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (inLen > 512) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 4096) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(pm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(qm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        a = (sp_digit*)XMALLOC(sizeof(sp_digit) * 35 * 8, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (a == NULL)
            err = MEMORY_E;
    }
#endif
    if (err == MP_OKAY) {
        p = a + 70;
        qi = dq = dp = p + 35;
        tmpa = qi + 35;
        tmpb = tmpa + 70;
        r = a;

        sp_4096_from_bin(a, 70, in, inLen);
        sp_4096_from_mp(p, 35, pm);
        sp_4096_from_mp(dp, 35, dpm);
        err = sp_4096_mod_exp_35(tmpa, a, dp, 2048, p, 1);
    }
    if (err == MP_OKAY) {
        sp_4096_from_mp(p, 35, qm);
        sp_4096_from_mp(dq, 35, dqm);
        err = sp_4096_mod_exp_35(tmpb, a, dq, 2048, p, 1);
    }
    if (err == MP_OKAY) {
        sp_4096_from_mp(p, 35, pm);
        (void)sp_4096_sub_35(tmpa, tmpa, tmpb);
        sp_4096_norm_35(tmpa);
        sp_4096_cond_add_35(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[34] >> 63));
        sp_4096_cond_add_35(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[34] >> 63));
        sp_4096_norm_35(tmpa);

        sp_4096_from_mp(qi, 35, qim);
        sp_4096_mul_35(tmpa, tmpa, qi);
        err = sp_4096_mod_35(tmpa, tmpa, p);
    }

    if (err == MP_OKAY) {
        sp_4096_from_mp(p, 35, qm);
        sp_4096_mul_35(tmpa, p, tmpa);
        (void)sp_4096_add_70(r, tmpb, tmpa);
        sp_4096_norm_70(r);

        sp_4096_to_bin_70(r, out);
        *outLen = 512;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (a != NULL)
#endif
    {
        ForceZero(a, sizeof(sp_digit) * 35 * 8);
#ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(a, NULL, DYNAMIC_TYPE_RSA);
#endif
    }

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* a = NULL;
#else
    sp_digit a[35 * 13];
#endif
    sp_digit* p = NULL;
    sp_digit* q = NULL;
    sp_digit* dp = NULL;
    sp_digit* dq = NULL;
    sp_digit* qi = NULL;
    sp_digit* tmpa = NULL;
    sp_digit* tmpb = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)dm;
    (void)mm;

    if (*outLen < 512U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (inLen > 512U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 4096) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(pm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(qm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        a = (sp_digit*)XMALLOC(sizeof(sp_digit) * 35 * 13, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (a == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        p = a + 70 * 2;
        q = p + 35;
        dp = q + 35;
        dq = dp + 35;
        qi = dq + 35;
        tmpa = qi + 35;
        tmpb = tmpa + 70;
        r = a;

        sp_4096_from_bin(a, 70, in, inLen);
        sp_4096_from_mp(p, 35, pm);
        sp_4096_from_mp(q, 35, qm);
        sp_4096_from_mp(dp, 35, dpm);
        sp_4096_from_mp(dq, 35, dqm);
        sp_4096_from_mp(qi, 35, qim);

        err = sp_4096_mod_exp_35(tmpa, a, dp, 2048, p, 1);
    }
    if (err == MP_OKAY) {
        err = sp_4096_mod_exp_35(tmpb, a, dq, 2048, q, 1);
    }

    if (err == MP_OKAY) {
        (void)sp_4096_sub_35(tmpa, tmpa, tmpb);
        sp_4096_norm_35(tmpa);
        sp_4096_cond_add_35(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[34] >> 63));
        sp_4096_cond_add_35(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[34] >> 63));
        sp_4096_norm_35(tmpa);
        sp_4096_mul_35(tmpa, tmpa, qi);
        err = sp_4096_mod_35(tmpa, tmpa, p);
    }

    if (err == MP_OKAY) {
        sp_4096_mul_35(tmpa, tmpa, q);
        (void)sp_4096_add_70(r, tmpb, tmpa);
        sp_4096_norm_70(r);

        sp_4096_to_bin_70(r, out);
        *outLen = 512;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
if (a != NULL)
#endif
    {
        ForceZero(a, sizeof(sp_digit) * 35 * 13);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(a, NULL, DYNAMIC_TYPE_RSA);
    #endif
    }

    return err;
#endif /* WOLFSSL_SP_SMALL */
#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
}

#endif /* !WOLFSSL_RSA_PUBLIC_ONLY */
#endif /* WOLFSSL_HAVE_SP_RSA */
#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
/* Convert an array of sp_digit to an mp_int.
 *
 * a  A single precision integer.
 * r  A multi-precision integer.
 */
static int sp_4096_to_mp(const sp_digit* a, mp_int* r)
{
    int err;

    err = mp_grow(r, (4096 + DIGIT_BIT - 1) / DIGIT_BIT);
    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
#if DIGIT_BIT == 59
        XMEMCPY(r->dp, a, sizeof(sp_digit) * 70);
        r->used = 70;
        mp_clamp(r);
#elif DIGIT_BIT < 59
        int i;
        int j = 0;
        int s = 0;

        r->dp[0] = 0;
        for (i = 0; i < 70; i++) {
            r->dp[j] |= (mp_digit)(a[i] << s);
            r->dp[j] &= ((sp_digit)1 << DIGIT_BIT) - 1;
            s = DIGIT_BIT - s;
            r->dp[++j] = (mp_digit)(a[i] >> s);
            while (s + DIGIT_BIT <= 59) {
                s += DIGIT_BIT;
                r->dp[j++] &= ((sp_digit)1 << DIGIT_BIT) - 1;
                if (s == SP_WORD_SIZE) {
                    r->dp[j] = 0;
                }
                else {
                    r->dp[j] = (mp_digit)(a[i] >> s);
                }
            }
            s = 59 - s;
        }
        r->used = (4096 + DIGIT_BIT - 1) / DIGIT_BIT;
        mp_clamp(r);
#else
        int i;
        int j = 0;
        int s = 0;

        r->dp[0] = 0;
        for (i = 0; i < 70; i++) {
            r->dp[j] |= ((mp_digit)a[i]) << s;
            if (s + 59 >= DIGIT_BIT) {
    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
                r->dp[j] &= ((sp_digit)1 << DIGIT_BIT) - 1;
    #endif
                s = DIGIT_BIT - s;
                r->dp[++j] = a[i] >> s;
                s = 59 - s;
            }
            else {
                s += 59;
            }
        }
        r->used = (4096 + DIGIT_BIT - 1) / DIGIT_BIT;
        mp_clamp(r);
#endif
    }

    return err;
}

/* Perform the modular exponentiation for Diffie-Hellman.
 *
 * base  Base. MP integer.
 * exp   Exponent. MP integer.
 * mod   Modulus. MP integer.
 * res   Result. MP integer.
 * returns 0 on success, MP_READ_E if there are too many bytes in an array
 * and MEMORY_E if memory allocation fails.
 */
int sp_ModExp_4096(const mp_int* base, const mp_int* exp, const mp_int* mod,
    mp_int* res)
{
#ifdef WOLFSSL_SP_SMALL
    int err = MP_OKAY;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[70 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int expBits = mp_count_bits(exp);

    if (mp_count_bits(base) > 4096) {
        err = MP_READ_E;
    }
    else if (expBits > 4096) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 4096) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 70 * 4, NULL,
            DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 70 * 2;
        m = e + 70;
        r = b;

        sp_4096_from_mp(b, 70, base);
        sp_4096_from_mp(e, 70, exp);
        sp_4096_from_mp(m, 70, mod);

        err = sp_4096_mod_exp_70(r, b, e, mp_count_bits(exp), m, 0);
    }

    if (err == MP_OKAY) {
        err = sp_4096_to_mp(r, res);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 70U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }
    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[70 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;
    int expBits = mp_count_bits(exp);

    if (mp_count_bits(base) > 4096) {
        err = MP_READ_E;
    }
    else if (expBits > 4096) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 4096) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 70 * 4, NULL, DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 70 * 2;
        m = e + 70;
        r = b;

        sp_4096_from_mp(b, 70, base);
        sp_4096_from_mp(e, 70, exp);
        sp_4096_from_mp(m, 70, mod);

        err = sp_4096_mod_exp_70(r, b, e, expBits, m, 0);
    }

    if (err == MP_OKAY) {
        err = sp_4096_to_mp(r, res);
    }


#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 70U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }

    return err;
#endif
}

#ifdef WOLFSSL_HAVE_SP_DH

#ifdef HAVE_FFDHE_4096
SP_NOINLINE static void sp_4096_lshift_70(sp_digit* r, const sp_digit* a,
        byte n)
{
    int i;

    r[70] = a[69] >> (59 - n);
    for (i=69; i>0; i--) {
        r[i] = ((a[i] << n) | (a[i-1] >> (59 - n))) & 0x7ffffffffffffffL;
    }
    r[0] = (a[0] << n) & 0x7ffffffffffffffL;
}

/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
 *
 * r     A single precision number that is the result of the operation.
 * e     A single precision number that is the exponent.
 * bits  The number of bits in the exponent.
 * m     A single precision number that is the modulus.
 * returns  0 on success.
 * returns  MEMORY_E on dynamic memory allocation failure.
 * returns  MP_VAL when base is even.
 */
static int sp_4096_mod_exp_2_70(sp_digit* r, const sp_digit* e, int bits, const sp_digit* m)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[211];
#endif
    sp_digit* norm = NULL;
    sp_digit* tmp = NULL;
    sp_digit mp = 1;
    sp_digit n;
    sp_digit o;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 211, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        tmp  = td + 140;
        XMEMSET(td, 0, sizeof(sp_digit) * 211);

        sp_4096_mont_setup(m, &mp);
        sp_4096_mont_norm_70(norm, m);

        bits = ((bits + 4) / 5) * 5;
        i = ((bits + 58) / 59) - 1;
        c = bits % 59;
        if (c == 0) {
            c = 59;
        }
        if (i < 70) {
            n = e[i--] << (64 - c);
        }
        else {
            n = 0;
            i--;
        }
        if (c < 5) {
            n |= e[i--] << (5 - c);
            c += 59;
        }
        y = (int)((n >> 59) & 0x1f);
        n <<= 5;
        c -= 5;
        sp_4096_lshift_70(r, norm, (byte)y);
        while ((i >= 0) || (c >= 5)) {
            if (c >= 5) {
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c -= 5;
            }
            else if (c == 0) {
                n = e[i--] << 5;
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c = 54;
            }
            else {
                y = (byte)((n >> 59) & 0x1f);
                n = e[i--] << 5;
                c = 5 - c;
                y |= (byte)((n >> (64 - c)) & ((1 << c) - 1));
                n <<= c;
                c = 59 - c;
            }

            sp_4096_mont_sqr_70(r, r, m, mp);
            sp_4096_mont_sqr_70(r, r, m, mp);
            sp_4096_mont_sqr_70(r, r, m, mp);
            sp_4096_mont_sqr_70(r, r, m, mp);
            sp_4096_mont_sqr_70(r, r, m, mp);

            sp_4096_lshift_70(r, r, (byte)y);
            sp_4096_mul_d_70(tmp, norm, (r[70] << 34) + (r[69] >> 25));
            r[70] = 0;
            r[69] &= 0x1ffffffL;
            (void)sp_4096_add_70(r, r, tmp);
            sp_4096_norm_70(r);
            o = sp_4096_cmp_70(r, m);
            sp_4096_cond_sub_70(r, r, m, ~(o >> 63));
        }

        sp_4096_mont_reduce_70(r, m, mp);
        n = sp_4096_cmp_70(r, m);
        sp_4096_cond_sub_70(r, r, m, ~(n >> 63));
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
}

#endif /* HAVE_FFDHE_4096 */

/* Perform the modular exponentiation for Diffie-Hellman.
 *
 * base     Base.
 * exp      Array of bytes that is the exponent.
 * expLen   Length of data, in bytes, in exponent.
 * mod      Modulus.
 * out      Buffer to hold big-endian bytes of exponentiation result.
 *          Must be at least 512 bytes long.
 * outLen   Length, in bytes, of exponentiation result.
 * returns 0 on success, MP_READ_E if there are too many bytes in an array
 * and MEMORY_E if memory allocation fails.
 */
int sp_DhExp_4096(const mp_int* base, const byte* exp, word32 expLen,
    const mp_int* mod, byte* out, word32* outLen)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[70 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    word32 i;
    int err = MP_OKAY;

    if (mp_count_bits(base) > 4096) {
        err = MP_READ_E;
    }
    else if (expLen > 512U) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 4096) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 70 * 4, NULL,
            DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 70 * 2;
        m = e + 70;
        r = b;

        sp_4096_from_mp(b, 70, base);
        sp_4096_from_bin(e, 70, exp, expLen);
        sp_4096_from_mp(m, 70, mod);

    #ifdef HAVE_FFDHE_4096
        if (base->used == 1 && base->dp[0] == 2U &&
                ((m[69] << 7) | (m[68] >> 52)) == 0xffffffffL) {
            err = sp_4096_mod_exp_2_70(r, e, expLen * 8U, m);
        }
        else {
    #endif
            err = sp_4096_mod_exp_70(r, b, e, expLen * 8U, m, 0);
    #ifdef HAVE_FFDHE_4096
        }
    #endif
    }

    if (err == MP_OKAY) {
        sp_4096_to_bin_70(r, out);
        *outLen = 512;
        for (i=0; i<512U && out[i] == 0U; i++) {
            /* Search for first non-zero. */
        }
        *outLen -= i;
        XMEMMOVE(out, out + i, *outLen);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 70U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }

    return err;
}
#endif /* WOLFSSL_HAVE_SP_DH */

#endif /* WOLFSSL_HAVE_SP_DH | (WOLFSSL_HAVE_SP_RSA & !WOLFSSL_RSA_PUBLIC_ONLY) */

#else
/* Read big endian unsigned byte array into r.
 *
 * r  A single precision integer.
 * size  Maximum number of bytes to convert
 * a  Byte array.
 * n  Number of bytes in array to read.
 */
static void sp_4096_from_bin(sp_digit* r, int size, const byte* a, int n)
{
    int i;
    int j = 0;
    word32 s = 0;

    r[0] = 0;
    for (i = n-1; i >= 0; i--) {
        r[j] |= (((sp_digit)a[i]) << s);
        if (s >= 45U) {
            r[j] &= 0x1fffffffffffffL;
            s = 53U - s;
            if (j + 1 >= size) {
                break;
            }
            r[++j] = (sp_digit)a[i] >> s;
            s = 8U - s;
        }
        else {
            s += 8U;
        }
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
}

/* Convert an mp_int to an array of sp_digit.
 *
 * r  A single precision integer.
 * size  Maximum number of bytes to convert
 * a  A multi-precision integer.
 */
static void sp_4096_from_mp(sp_digit* r, int size, const mp_int* a)
{
#if DIGIT_BIT == 53
    int i;
    sp_digit j = (sp_digit)0 - (sp_digit)a->used;
    int o = 0;

    for (i = 0; i < size; i++) {
        sp_digit mask = (sp_digit)0 - (j >> 52);
        r[i] = a->dp[o] & mask;
        j++;
        o += (int)(j >> 52);
    }
#elif DIGIT_BIT > 53
    unsigned int i;
    int j = 0;
    word32 s = 0;

    r[0] = 0;
    for (i = 0; i < (unsigned int)a->used && j < size; i++) {
        r[j] |= ((sp_digit)a->dp[i] << s);
        r[j] &= 0x1fffffffffffffL;
        s = 53U - s;
        if (j + 1 >= size) {
            break;
        }
        /* lint allow cast of mismatch word32 and mp_digit */
        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
        while ((s + 53U) <= (word32)DIGIT_BIT) {
            s += 53U;
            r[j] &= 0x1fffffffffffffL;
            if (j + 1 >= size) {
                break;
            }
            if (s < (word32)DIGIT_BIT) {
                /* lint allow cast of mismatch word32 and mp_digit */
                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
            }
            else {
                r[++j] = (sp_digit)0;
            }
        }
        s = (word32)DIGIT_BIT - s;
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
#else
    unsigned int i;
    int j = 0;
    int s = 0;

    r[0] = 0;
    for (i = 0; i < (unsigned int)a->used && j < size; i++) {
        r[j] |= ((sp_digit)a->dp[i]) << s;
        if (s + DIGIT_BIT >= 53) {
            r[j] &= 0x1fffffffffffffL;
            if (j + 1 >= size) {
                break;
            }
            s = 53 - s;
            if (s == DIGIT_BIT) {
                r[++j] = 0;
                s = 0;
            }
            else {
                r[++j] = a->dp[i] >> s;
                s = DIGIT_BIT - s;
            }
        }
        else {
            s += DIGIT_BIT;
        }
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
#endif
}

/* Write r as big endian to byte array.
 * Fixed length number of bytes written: 512
 *
 * r  A single precision integer.
 * a  Byte array.
 */
static void sp_4096_to_bin_78(sp_digit* r, byte* a)
{
    int i;
    int j;
    int s = 0;
    int b;

    for (i=0; i<77; i++) {
        r[i+1] += r[i] >> 53;
        r[i] &= 0x1fffffffffffffL;
    }
    j = 4103 / 8 - 1;
    a[j] = 0;
    for (i=0; i<78 && j>=0; i++) {
        b = 0;
        /* lint allow cast of mismatch sp_digit and int */
        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
        b += 8 - s;
        if (j < 0) {
            break;
        }
        while (b < 53) {
            a[j--] = (byte)(r[i] >> b);
            b += 8;
            if (j < 0) {
                break;
            }
        }
        s = 8 - (b - 53);
        if (j >= 0) {
            a[j] = 0;
        }
        if (s != 0) {
            j++;
        }
    }
}

#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(WOLFSSL_HAVE_SP_DH)
#if defined(WOLFSSL_HAVE_SP_RSA) && !defined(SP_RSA_PRIVATE_EXP_D)
/* Normalize the values in each word to 53 bits.
 *
 * a  Array of sp_digit to normalize.
 */
static void sp_4096_norm_39(sp_digit* a)
{
    int i;
    for (i = 0; i < 32; i += 8) {
        a[i+1] += a[i+0] >> 53; a[i+0] &= 0x1fffffffffffffL;
        a[i+2] += a[i+1] >> 53; a[i+1] &= 0x1fffffffffffffL;
        a[i+3] += a[i+2] >> 53; a[i+2] &= 0x1fffffffffffffL;
        a[i+4] += a[i+3] >> 53; a[i+3] &= 0x1fffffffffffffL;
        a[i+5] += a[i+4] >> 53; a[i+4] &= 0x1fffffffffffffL;
        a[i+6] += a[i+5] >> 53; a[i+5] &= 0x1fffffffffffffL;
        a[i+7] += a[i+6] >> 53; a[i+6] &= 0x1fffffffffffffL;
        a[i+8] += a[i+7] >> 53; a[i+7] &= 0x1fffffffffffffL;
    }
    a[33] += a[32] >> 53; a[32] &= 0x1fffffffffffffL;
    a[34] += a[33] >> 53; a[33] &= 0x1fffffffffffffL;
    a[35] += a[34] >> 53; a[34] &= 0x1fffffffffffffL;
    a[36] += a[35] >> 53; a[35] &= 0x1fffffffffffffL;
    a[37] += a[36] >> 53; a[36] &= 0x1fffffffffffffL;
    a[38] += a[37] >> 53; a[37] &= 0x1fffffffffffffL;
}

#endif /* WOLFSSL_HAVE_SP_RSA & !SP_RSA_PRIVATE_EXP_D */
#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
/* Normalize the values in each word to 53 bits.
 *
 * a  Array of sp_digit to normalize.
 */
static void sp_4096_norm_78(sp_digit* a)
{
    int i;
    for (i = 0; i < 72; i += 8) {
        a[i+1] += a[i+0] >> 53; a[i+0] &= 0x1fffffffffffffL;
        a[i+2] += a[i+1] >> 53; a[i+1] &= 0x1fffffffffffffL;
        a[i+3] += a[i+2] >> 53; a[i+2] &= 0x1fffffffffffffL;
        a[i+4] += a[i+3] >> 53; a[i+3] &= 0x1fffffffffffffL;
        a[i+5] += a[i+4] >> 53; a[i+4] &= 0x1fffffffffffffL;
        a[i+6] += a[i+5] >> 53; a[i+5] &= 0x1fffffffffffffL;
        a[i+7] += a[i+6] >> 53; a[i+6] &= 0x1fffffffffffffL;
        a[i+8] += a[i+7] >> 53; a[i+7] &= 0x1fffffffffffffL;
    }
    a[73] += a[72] >> 53; a[72] &= 0x1fffffffffffffL;
    a[74] += a[73] >> 53; a[73] &= 0x1fffffffffffffL;
    a[75] += a[74] >> 53; a[74] &= 0x1fffffffffffffL;
    a[76] += a[75] >> 53; a[75] &= 0x1fffffffffffffL;
    a[77] += a[76] >> 53; a[76] &= 0x1fffffffffffffL;
}

#ifndef WOLFSSL_SP_SMALL
/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_4096_mul_13(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    sp_uint128 t0;
    sp_uint128 t1;
    sp_digit t[13];

    t0 = ((sp_uint128)a[ 0]) * b[ 0];
    t1 = ((sp_uint128)a[ 0]) * b[ 1]
       + ((sp_uint128)a[ 1]) * b[ 0];
    t[ 0] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 = ((sp_uint128)a[ 0]) * b[ 2]
       + ((sp_uint128)a[ 1]) * b[ 1]
       + ((sp_uint128)a[ 2]) * b[ 0];
    t[ 1] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    t1 = ((sp_uint128)a[ 0]) * b[ 3]
       + ((sp_uint128)a[ 1]) * b[ 2]
       + ((sp_uint128)a[ 2]) * b[ 1]
       + ((sp_uint128)a[ 3]) * b[ 0];
    t[ 2] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 = ((sp_uint128)a[ 0]) * b[ 4]
       + ((sp_uint128)a[ 1]) * b[ 3]
       + ((sp_uint128)a[ 2]) * b[ 2]
       + ((sp_uint128)a[ 3]) * b[ 1]
       + ((sp_uint128)a[ 4]) * b[ 0];
    t[ 3] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    t1 = ((sp_uint128)a[ 0]) * b[ 5]
       + ((sp_uint128)a[ 1]) * b[ 4]
       + ((sp_uint128)a[ 2]) * b[ 3]
       + ((sp_uint128)a[ 3]) * b[ 2]
       + ((sp_uint128)a[ 4]) * b[ 1]
       + ((sp_uint128)a[ 5]) * b[ 0];
    t[ 4] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 = ((sp_uint128)a[ 0]) * b[ 6]
       + ((sp_uint128)a[ 1]) * b[ 5]
       + ((sp_uint128)a[ 2]) * b[ 4]
       + ((sp_uint128)a[ 3]) * b[ 3]
       + ((sp_uint128)a[ 4]) * b[ 2]
       + ((sp_uint128)a[ 5]) * b[ 1]
       + ((sp_uint128)a[ 6]) * b[ 0];
    t[ 5] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    t1 = ((sp_uint128)a[ 0]) * b[ 7]
       + ((sp_uint128)a[ 1]) * b[ 6]
       + ((sp_uint128)a[ 2]) * b[ 5]
       + ((sp_uint128)a[ 3]) * b[ 4]
       + ((sp_uint128)a[ 4]) * b[ 3]
       + ((sp_uint128)a[ 5]) * b[ 2]
       + ((sp_uint128)a[ 6]) * b[ 1]
       + ((sp_uint128)a[ 7]) * b[ 0];
    t[ 6] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 = ((sp_uint128)a[ 0]) * b[ 8]
       + ((sp_uint128)a[ 1]) * b[ 7]
       + ((sp_uint128)a[ 2]) * b[ 6]
       + ((sp_uint128)a[ 3]) * b[ 5]
       + ((sp_uint128)a[ 4]) * b[ 4]
       + ((sp_uint128)a[ 5]) * b[ 3]
       + ((sp_uint128)a[ 6]) * b[ 2]
       + ((sp_uint128)a[ 7]) * b[ 1]
       + ((sp_uint128)a[ 8]) * b[ 0];
    t[ 7] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    t1 = ((sp_uint128)a[ 0]) * b[ 9]
       + ((sp_uint128)a[ 1]) * b[ 8]
       + ((sp_uint128)a[ 2]) * b[ 7]
       + ((sp_uint128)a[ 3]) * b[ 6]
       + ((sp_uint128)a[ 4]) * b[ 5]
       + ((sp_uint128)a[ 5]) * b[ 4]
       + ((sp_uint128)a[ 6]) * b[ 3]
       + ((sp_uint128)a[ 7]) * b[ 2]
       + ((sp_uint128)a[ 8]) * b[ 1]
       + ((sp_uint128)a[ 9]) * b[ 0];
    t[ 8] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 = ((sp_uint128)a[ 0]) * b[10]
       + ((sp_uint128)a[ 1]) * b[ 9]
       + ((sp_uint128)a[ 2]) * b[ 8]
       + ((sp_uint128)a[ 3]) * b[ 7]
       + ((sp_uint128)a[ 4]) * b[ 6]
       + ((sp_uint128)a[ 5]) * b[ 5]
       + ((sp_uint128)a[ 6]) * b[ 4]
       + ((sp_uint128)a[ 7]) * b[ 3]
       + ((sp_uint128)a[ 8]) * b[ 2]
       + ((sp_uint128)a[ 9]) * b[ 1]
       + ((sp_uint128)a[10]) * b[ 0];
    t[ 9] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    t1 = ((sp_uint128)a[ 0]) * b[11]
       + ((sp_uint128)a[ 1]) * b[10]
       + ((sp_uint128)a[ 2]) * b[ 9]
       + ((sp_uint128)a[ 3]) * b[ 8]
       + ((sp_uint128)a[ 4]) * b[ 7]
       + ((sp_uint128)a[ 5]) * b[ 6]
       + ((sp_uint128)a[ 6]) * b[ 5]
       + ((sp_uint128)a[ 7]) * b[ 4]
       + ((sp_uint128)a[ 8]) * b[ 3]
       + ((sp_uint128)a[ 9]) * b[ 2]
       + ((sp_uint128)a[10]) * b[ 1]
       + ((sp_uint128)a[11]) * b[ 0];
    t[10] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 = ((sp_uint128)a[ 0]) * b[12]
       + ((sp_uint128)a[ 1]) * b[11]
       + ((sp_uint128)a[ 2]) * b[10]
       + ((sp_uint128)a[ 3]) * b[ 9]
       + ((sp_uint128)a[ 4]) * b[ 8]
       + ((sp_uint128)a[ 5]) * b[ 7]
       + ((sp_uint128)a[ 6]) * b[ 6]
       + ((sp_uint128)a[ 7]) * b[ 5]
       + ((sp_uint128)a[ 8]) * b[ 4]
       + ((sp_uint128)a[ 9]) * b[ 3]
       + ((sp_uint128)a[10]) * b[ 2]
       + ((sp_uint128)a[11]) * b[ 1]
       + ((sp_uint128)a[12]) * b[ 0];
    t[11] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    t1 = ((sp_uint128)a[ 1]) * b[12]
       + ((sp_uint128)a[ 2]) * b[11]
       + ((sp_uint128)a[ 3]) * b[10]
       + ((sp_uint128)a[ 4]) * b[ 9]
       + ((sp_uint128)a[ 5]) * b[ 8]
       + ((sp_uint128)a[ 6]) * b[ 7]
       + ((sp_uint128)a[ 7]) * b[ 6]
       + ((sp_uint128)a[ 8]) * b[ 5]
       + ((sp_uint128)a[ 9]) * b[ 4]
       + ((sp_uint128)a[10]) * b[ 3]
       + ((sp_uint128)a[11]) * b[ 2]
       + ((sp_uint128)a[12]) * b[ 1];
    t[12] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 = ((sp_uint128)a[ 2]) * b[12]
       + ((sp_uint128)a[ 3]) * b[11]
       + ((sp_uint128)a[ 4]) * b[10]
       + ((sp_uint128)a[ 5]) * b[ 9]
       + ((sp_uint128)a[ 6]) * b[ 8]
       + ((sp_uint128)a[ 7]) * b[ 7]
       + ((sp_uint128)a[ 8]) * b[ 6]
       + ((sp_uint128)a[ 9]) * b[ 5]
       + ((sp_uint128)a[10]) * b[ 4]
       + ((sp_uint128)a[11]) * b[ 3]
       + ((sp_uint128)a[12]) * b[ 2];
    r[13] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    t1 = ((sp_uint128)a[ 3]) * b[12]
       + ((sp_uint128)a[ 4]) * b[11]
       + ((sp_uint128)a[ 5]) * b[10]
       + ((sp_uint128)a[ 6]) * b[ 9]
       + ((sp_uint128)a[ 7]) * b[ 8]
       + ((sp_uint128)a[ 8]) * b[ 7]
       + ((sp_uint128)a[ 9]) * b[ 6]
       + ((sp_uint128)a[10]) * b[ 5]
       + ((sp_uint128)a[11]) * b[ 4]
       + ((sp_uint128)a[12]) * b[ 3];
    r[14] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 = ((sp_uint128)a[ 4]) * b[12]
       + ((sp_uint128)a[ 5]) * b[11]
       + ((sp_uint128)a[ 6]) * b[10]
       + ((sp_uint128)a[ 7]) * b[ 9]
       + ((sp_uint128)a[ 8]) * b[ 8]
       + ((sp_uint128)a[ 9]) * b[ 7]
       + ((sp_uint128)a[10]) * b[ 6]
       + ((sp_uint128)a[11]) * b[ 5]
       + ((sp_uint128)a[12]) * b[ 4];
    r[15] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    t1 = ((sp_uint128)a[ 5]) * b[12]
       + ((sp_uint128)a[ 6]) * b[11]
       + ((sp_uint128)a[ 7]) * b[10]
       + ((sp_uint128)a[ 8]) * b[ 9]
       + ((sp_uint128)a[ 9]) * b[ 8]
       + ((sp_uint128)a[10]) * b[ 7]
       + ((sp_uint128)a[11]) * b[ 6]
       + ((sp_uint128)a[12]) * b[ 5];
    r[16] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 = ((sp_uint128)a[ 6]) * b[12]
       + ((sp_uint128)a[ 7]) * b[11]
       + ((sp_uint128)a[ 8]) * b[10]
       + ((sp_uint128)a[ 9]) * b[ 9]
       + ((sp_uint128)a[10]) * b[ 8]
       + ((sp_uint128)a[11]) * b[ 7]
       + ((sp_uint128)a[12]) * b[ 6];
    r[17] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    t1 = ((sp_uint128)a[ 7]) * b[12]
       + ((sp_uint128)a[ 8]) * b[11]
       + ((sp_uint128)a[ 9]) * b[10]
       + ((sp_uint128)a[10]) * b[ 9]
       + ((sp_uint128)a[11]) * b[ 8]
       + ((sp_uint128)a[12]) * b[ 7];
    r[18] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 = ((sp_uint128)a[ 8]) * b[12]
       + ((sp_uint128)a[ 9]) * b[11]
       + ((sp_uint128)a[10]) * b[10]
       + ((sp_uint128)a[11]) * b[ 9]
       + ((sp_uint128)a[12]) * b[ 8];
    r[19] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    t1 = ((sp_uint128)a[ 9]) * b[12]
       + ((sp_uint128)a[10]) * b[11]
       + ((sp_uint128)a[11]) * b[10]
       + ((sp_uint128)a[12]) * b[ 9];
    r[20] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 = ((sp_uint128)a[10]) * b[12]
       + ((sp_uint128)a[11]) * b[11]
       + ((sp_uint128)a[12]) * b[10];
    r[21] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    t1 = ((sp_uint128)a[11]) * b[12]
       + ((sp_uint128)a[12]) * b[11];
    r[22] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 = ((sp_uint128)a[12]) * b[12];
    r[23] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    r[24] = t0 & 0x1fffffffffffffL;
    r[25] = (sp_digit)(t0 >> 53);
    XMEMCPY(r, t, sizeof(t));
}

/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_4096_add_13(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    r[ 0] = a[ 0] + b[ 0];
    r[ 1] = a[ 1] + b[ 1];
    r[ 2] = a[ 2] + b[ 2];
    r[ 3] = a[ 3] + b[ 3];
    r[ 4] = a[ 4] + b[ 4];
    r[ 5] = a[ 5] + b[ 5];
    r[ 6] = a[ 6] + b[ 6];
    r[ 7] = a[ 7] + b[ 7];
    r[ 8] = a[ 8] + b[ 8];
    r[ 9] = a[ 9] + b[ 9];
    r[10] = a[10] + b[10];
    r[11] = a[11] + b[11];
    r[12] = a[12] + b[12];

    return 0;
}

/* Sub b from a into r. (r = a - b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_4096_sub_26(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 24; i += 8) {
        r[i + 0] = a[i + 0] - b[i + 0];
        r[i + 1] = a[i + 1] - b[i + 1];
        r[i + 2] = a[i + 2] - b[i + 2];
        r[i + 3] = a[i + 3] - b[i + 3];
        r[i + 4] = a[i + 4] - b[i + 4];
        r[i + 5] = a[i + 5] - b[i + 5];
        r[i + 6] = a[i + 6] - b[i + 6];
        r[i + 7] = a[i + 7] - b[i + 7];
    }
    r[24] = a[24] - b[24];
    r[25] = a[25] - b[25];

    return 0;
}

/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_4096_add_26(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 24; i += 8) {
        r[i + 0] = a[i + 0] + b[i + 0];
        r[i + 1] = a[i + 1] + b[i + 1];
        r[i + 2] = a[i + 2] + b[i + 2];
        r[i + 3] = a[i + 3] + b[i + 3];
        r[i + 4] = a[i + 4] + b[i + 4];
        r[i + 5] = a[i + 5] + b[i + 5];
        r[i + 6] = a[i + 6] + b[i + 6];
        r[i + 7] = a[i + 7] + b[i + 7];
    }
    r[24] = a[24] + b[24];
    r[25] = a[25] + b[25];

    return 0;
}

/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_4096_mul_39(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    sp_digit p0[26];
    sp_digit p1[26];
    sp_digit p2[26];
    sp_digit p3[26];
    sp_digit p4[26];
    sp_digit p5[26];
    sp_digit t0[26];
    sp_digit t1[26];
    sp_digit t2[26];
    sp_digit a0[13];
    sp_digit a1[13];
    sp_digit a2[13];
    sp_digit b0[13];
    sp_digit b1[13];
    sp_digit b2[13];
    (void)sp_4096_add_13(a0, a, &a[13]);
    (void)sp_4096_add_13(b0, b, &b[13]);
    (void)sp_4096_add_13(a1, &a[13], &a[26]);
    (void)sp_4096_add_13(b1, &b[13], &b[26]);
    (void)sp_4096_add_13(a2, a0, &a[26]);
    (void)sp_4096_add_13(b2, b0, &b[26]);
    sp_4096_mul_13(p0, a, b);
    sp_4096_mul_13(p2, &a[13], &b[13]);
    sp_4096_mul_13(p4, &a[26], &b[26]);
    sp_4096_mul_13(p1, a0, b0);
    sp_4096_mul_13(p3, a1, b1);
    sp_4096_mul_13(p5, a2, b2);
    XMEMSET(r, 0, sizeof(*r)*2U*39U);
    (void)sp_4096_sub_26(t0, p3, p2);
    (void)sp_4096_sub_26(t1, p1, p2);
    (void)sp_4096_sub_26(t2, p5, t0);
    (void)sp_4096_sub_26(t2, t2, t1);
    (void)sp_4096_sub_26(t0, t0, p4);
    (void)sp_4096_sub_26(t1, t1, p0);
    (void)sp_4096_add_26(r, r, p0);
    (void)sp_4096_add_26(&r[13], &r[13], t1);
    (void)sp_4096_add_26(&r[26], &r[26], t2);
    (void)sp_4096_add_26(&r[39], &r[39], t0);
    (void)sp_4096_add_26(&r[52], &r[52], p4);
}

/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_4096_add_39(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 32; i += 8) {
        r[i + 0] = a[i + 0] + b[i + 0];
        r[i + 1] = a[i + 1] + b[i + 1];
        r[i + 2] = a[i + 2] + b[i + 2];
        r[i + 3] = a[i + 3] + b[i + 3];
        r[i + 4] = a[i + 4] + b[i + 4];
        r[i + 5] = a[i + 5] + b[i + 5];
        r[i + 6] = a[i + 6] + b[i + 6];
        r[i + 7] = a[i + 7] + b[i + 7];
    }
    r[32] = a[32] + b[32];
    r[33] = a[33] + b[33];
    r[34] = a[34] + b[34];
    r[35] = a[35] + b[35];
    r[36] = a[36] + b[36];
    r[37] = a[37] + b[37];
    r[38] = a[38] + b[38];

    return 0;
}

/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_4096_add_78(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 72; i += 8) {
        r[i + 0] = a[i + 0] + b[i + 0];
        r[i + 1] = a[i + 1] + b[i + 1];
        r[i + 2] = a[i + 2] + b[i + 2];
        r[i + 3] = a[i + 3] + b[i + 3];
        r[i + 4] = a[i + 4] + b[i + 4];
        r[i + 5] = a[i + 5] + b[i + 5];
        r[i + 6] = a[i + 6] + b[i + 6];
        r[i + 7] = a[i + 7] + b[i + 7];
    }
    r[72] = a[72] + b[72];
    r[73] = a[73] + b[73];
    r[74] = a[74] + b[74];
    r[75] = a[75] + b[75];
    r[76] = a[76] + b[76];
    r[77] = a[77] + b[77];

    return 0;
}

/* Sub b from a into r. (r = a - b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_4096_sub_78(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 72; i += 8) {
        r[i + 0] = a[i + 0] - b[i + 0];
        r[i + 1] = a[i + 1] - b[i + 1];
        r[i + 2] = a[i + 2] - b[i + 2];
        r[i + 3] = a[i + 3] - b[i + 3];
        r[i + 4] = a[i + 4] - b[i + 4];
        r[i + 5] = a[i + 5] - b[i + 5];
        r[i + 6] = a[i + 6] - b[i + 6];
        r[i + 7] = a[i + 7] - b[i + 7];
    }
    r[72] = a[72] - b[72];
    r[73] = a[73] - b[73];
    r[74] = a[74] - b[74];
    r[75] = a[75] - b[75];
    r[76] = a[76] - b[76];
    r[77] = a[77] - b[77];

    return 0;
}

/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_4096_mul_78(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    sp_digit* z0 = r;
    sp_digit z1[78];
    sp_digit* a1 = z1;
    sp_digit b1[39];
    sp_digit* z2 = r + 78;
    (void)sp_4096_add_39(a1, a, &a[39]);
    (void)sp_4096_add_39(b1, b, &b[39]);
    sp_4096_mul_39(z2, &a[39], &b[39]);
    sp_4096_mul_39(z0, a, b);
    sp_4096_mul_39(z1, a1, b1);
    (void)sp_4096_sub_78(z1, z1, z2);
    (void)sp_4096_sub_78(z1, z1, z0);
    (void)sp_4096_add_78(r + 39, r + 39, z1);
}

/* Square a and put result in r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_4096_sqr_13(sp_digit* r, const sp_digit* a)
{
    sp_uint128 t0;
    sp_uint128 t1;
    sp_digit t[13];

    t0 =  ((sp_uint128)a[ 0]) * a[ 0];
    t1 = (((sp_uint128)a[ 0]) * a[ 1]) * 2;
    t[ 0] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 = (((sp_uint128)a[ 0]) * a[ 2]) * 2
       +  ((sp_uint128)a[ 1]) * a[ 1];
    t[ 1] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    t1 = (((sp_uint128)a[ 0]) * a[ 3]
       +  ((sp_uint128)a[ 1]) * a[ 2]) * 2;
    t[ 2] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 = (((sp_uint128)a[ 0]) * a[ 4]
       +  ((sp_uint128)a[ 1]) * a[ 3]) * 2
       +  ((sp_uint128)a[ 2]) * a[ 2];
    t[ 3] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    t1 = (((sp_uint128)a[ 0]) * a[ 5]
       +  ((sp_uint128)a[ 1]) * a[ 4]
       +  ((sp_uint128)a[ 2]) * a[ 3]) * 2;
    t[ 4] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 = (((sp_uint128)a[ 0]) * a[ 6]
       +  ((sp_uint128)a[ 1]) * a[ 5]
       +  ((sp_uint128)a[ 2]) * a[ 4]) * 2
       +  ((sp_uint128)a[ 3]) * a[ 3];
    t[ 5] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    t1 = (((sp_uint128)a[ 0]) * a[ 7]
       +  ((sp_uint128)a[ 1]) * a[ 6]
       +  ((sp_uint128)a[ 2]) * a[ 5]
       +  ((sp_uint128)a[ 3]) * a[ 4]) * 2;
    t[ 6] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 = (((sp_uint128)a[ 0]) * a[ 8]
       +  ((sp_uint128)a[ 1]) * a[ 7]
       +  ((sp_uint128)a[ 2]) * a[ 6]
       +  ((sp_uint128)a[ 3]) * a[ 5]) * 2
       +  ((sp_uint128)a[ 4]) * a[ 4];
    t[ 7] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    t1 = (((sp_uint128)a[ 0]) * a[ 9]
       +  ((sp_uint128)a[ 1]) * a[ 8]
       +  ((sp_uint128)a[ 2]) * a[ 7]
       +  ((sp_uint128)a[ 3]) * a[ 6]
       +  ((sp_uint128)a[ 4]) * a[ 5]) * 2;
    t[ 8] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 = (((sp_uint128)a[ 0]) * a[10]
       +  ((sp_uint128)a[ 1]) * a[ 9]
       +  ((sp_uint128)a[ 2]) * a[ 8]
       +  ((sp_uint128)a[ 3]) * a[ 7]
       +  ((sp_uint128)a[ 4]) * a[ 6]) * 2
       +  ((sp_uint128)a[ 5]) * a[ 5];
    t[ 9] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    t1 = (((sp_uint128)a[ 0]) * a[11]
       +  ((sp_uint128)a[ 1]) * a[10]
       +  ((sp_uint128)a[ 2]) * a[ 9]
       +  ((sp_uint128)a[ 3]) * a[ 8]
       +  ((sp_uint128)a[ 4]) * a[ 7]
       +  ((sp_uint128)a[ 5]) * a[ 6]) * 2;
    t[10] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 = (((sp_uint128)a[ 0]) * a[12]
       +  ((sp_uint128)a[ 1]) * a[11]
       +  ((sp_uint128)a[ 2]) * a[10]
       +  ((sp_uint128)a[ 3]) * a[ 9]
       +  ((sp_uint128)a[ 4]) * a[ 8]
       +  ((sp_uint128)a[ 5]) * a[ 7]) * 2
       +  ((sp_uint128)a[ 6]) * a[ 6];
    t[11] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    t1 = (((sp_uint128)a[ 1]) * a[12]
       +  ((sp_uint128)a[ 2]) * a[11]
       +  ((sp_uint128)a[ 3]) * a[10]
       +  ((sp_uint128)a[ 4]) * a[ 9]
       +  ((sp_uint128)a[ 5]) * a[ 8]
       +  ((sp_uint128)a[ 6]) * a[ 7]) * 2;
    t[12] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 = (((sp_uint128)a[ 2]) * a[12]
       +  ((sp_uint128)a[ 3]) * a[11]
       +  ((sp_uint128)a[ 4]) * a[10]
       +  ((sp_uint128)a[ 5]) * a[ 9]
       +  ((sp_uint128)a[ 6]) * a[ 8]) * 2
       +  ((sp_uint128)a[ 7]) * a[ 7];
    r[13] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    t1 = (((sp_uint128)a[ 3]) * a[12]
       +  ((sp_uint128)a[ 4]) * a[11]
       +  ((sp_uint128)a[ 5]) * a[10]
       +  ((sp_uint128)a[ 6]) * a[ 9]
       +  ((sp_uint128)a[ 7]) * a[ 8]) * 2;
    r[14] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 = (((sp_uint128)a[ 4]) * a[12]
       +  ((sp_uint128)a[ 5]) * a[11]
       +  ((sp_uint128)a[ 6]) * a[10]
       +  ((sp_uint128)a[ 7]) * a[ 9]) * 2
       +  ((sp_uint128)a[ 8]) * a[ 8];
    r[15] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    t1 = (((sp_uint128)a[ 5]) * a[12]
       +  ((sp_uint128)a[ 6]) * a[11]
       +  ((sp_uint128)a[ 7]) * a[10]
       +  ((sp_uint128)a[ 8]) * a[ 9]) * 2;
    r[16] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 = (((sp_uint128)a[ 6]) * a[12]
       +  ((sp_uint128)a[ 7]) * a[11]
       +  ((sp_uint128)a[ 8]) * a[10]) * 2
       +  ((sp_uint128)a[ 9]) * a[ 9];
    r[17] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    t1 = (((sp_uint128)a[ 7]) * a[12]
       +  ((sp_uint128)a[ 8]) * a[11]
       +  ((sp_uint128)a[ 9]) * a[10]) * 2;
    r[18] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 = (((sp_uint128)a[ 8]) * a[12]
       +  ((sp_uint128)a[ 9]) * a[11]) * 2
       +  ((sp_uint128)a[10]) * a[10];
    r[19] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    t1 = (((sp_uint128)a[ 9]) * a[12]
       +  ((sp_uint128)a[10]) * a[11]) * 2;
    r[20] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 = (((sp_uint128)a[10]) * a[12]) * 2
       +  ((sp_uint128)a[11]) * a[11];
    r[21] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    t1 = (((sp_uint128)a[11]) * a[12]) * 2;
    r[22] = t0 & 0x1fffffffffffffL; t1 += t0 >> 53;
    t0 =  ((sp_uint128)a[12]) * a[12];
    r[23] = t1 & 0x1fffffffffffffL; t0 += t1 >> 53;
    r[24] = t0 & 0x1fffffffffffffL;
    r[25] = (sp_digit)(t0 >> 53);
    XMEMCPY(r, t, sizeof(t));
}

/* Square a into r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_4096_sqr_39(sp_digit* r, const sp_digit* a)
{
    sp_digit p0[26];
    sp_digit p1[26];
    sp_digit p2[26];
    sp_digit p3[26];
    sp_digit p4[26];
    sp_digit p5[26];
    sp_digit t0[26];
    sp_digit t1[26];
    sp_digit t2[26];
    sp_digit a0[13];
    sp_digit a1[13];
    sp_digit a2[13];
    (void)sp_4096_add_13(a0, a, &a[13]);
    (void)sp_4096_add_13(a1, &a[13], &a[26]);
    (void)sp_4096_add_13(a2, a0, &a[26]);
    sp_4096_sqr_13(p0, a);
    sp_4096_sqr_13(p2, &a[13]);
    sp_4096_sqr_13(p4, &a[26]);
    sp_4096_sqr_13(p1, a0);
    sp_4096_sqr_13(p3, a1);
    sp_4096_sqr_13(p5, a2);
    XMEMSET(r, 0, sizeof(*r)*2U*39U);
    (void)sp_4096_sub_26(t0, p3, p2);
    (void)sp_4096_sub_26(t1, p1, p2);
    (void)sp_4096_sub_26(t2, p5, t0);
    (void)sp_4096_sub_26(t2, t2, t1);
    (void)sp_4096_sub_26(t0, t0, p4);
    (void)sp_4096_sub_26(t1, t1, p0);
    (void)sp_4096_add_26(r, r, p0);
    (void)sp_4096_add_26(&r[13], &r[13], t1);
    (void)sp_4096_add_26(&r[26], &r[26], t2);
    (void)sp_4096_add_26(&r[39], &r[39], t0);
    (void)sp_4096_add_26(&r[52], &r[52], p4);
}

/* Square a and put result in r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_4096_sqr_78(sp_digit* r, const sp_digit* a)
{
    sp_digit* z0 = r;
    sp_digit z1[78];
    sp_digit* a1 = z1;
    sp_digit* z2 = r + 78;
    (void)sp_4096_add_39(a1, a, &a[39]);
    sp_4096_sqr_39(z2, &a[39]);
    sp_4096_sqr_39(z0, a);
    sp_4096_sqr_39(z1, a1);
    (void)sp_4096_sub_78(z1, z1, z2);
    (void)sp_4096_sub_78(z1, z1, z0);
    (void)sp_4096_add_78(r + 39, r + 39, z1);
}

#endif /* !WOLFSSL_SP_SMALL */
/* Calculate the bottom digit of -1/a mod 2^n.
 *
 * a    A single precision number.
 * rho  Bottom word of inverse.
 */
static void sp_4096_mont_setup(const sp_digit* a, sp_digit* rho)
{
    sp_digit x;
    sp_digit b;

    b = a[0];
    x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**8 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**16 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**32 */
    x *= 2 - b * x;               /* here x*a==1 mod 2**64 */
    x &= 0x1fffffffffffffL;

    /* rho = -1/m mod b */
    *rho = ((sp_digit)1 << 53) - x;
}

/* Multiply a by scalar b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_4096_mul_d_78(sp_digit* r, const sp_digit* a,
    sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t = 0;
    sp_digit t2;
    sp_int128 p[4];
    int i;

    for (i = 0; i < 76; i += 4) {
        p[0] = tb * a[i + 0];
        p[1] = tb * a[i + 1];
        p[2] = tb * a[i + 2];
        p[3] = tb * a[i + 3];
        t += p[0];
        t2 = (sp_digit)(t & 0x1fffffffffffffL);
        t >>= 53;
        r[i + 0] = (sp_digit)t2;
        t += p[1];
        t2 = (sp_digit)(t & 0x1fffffffffffffL);
        t >>= 53;
        r[i + 1] = (sp_digit)t2;
        t += p[2];
        t2 = (sp_digit)(t & 0x1fffffffffffffL);
        t >>= 53;
        r[i + 2] = (sp_digit)t2;
        t += p[3];
        t2 = (sp_digit)(t & 0x1fffffffffffffL);
        t >>= 53;
        r[i + 3] = (sp_digit)t2;
    }
    t += tb * a[76];
    r[76] = (sp_digit)(t & 0x1fffffffffffffL);
    t >>= 53;
    t += tb * a[77];
    r[77] = (sp_digit)(t & 0x1fffffffffffffL);
    t >>= 53;
    r[78] = (sp_digit)(t & 0x1fffffffffffffL);
}

#if (defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH)) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
#if defined(WOLFSSL_HAVE_SP_RSA) && !defined(SP_RSA_PRIVATE_EXP_D)
/* Sub b from a into r. (r = a - b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_4096_sub_39(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 32; i += 8) {
        r[i + 0] = a[i + 0] - b[i + 0];
        r[i + 1] = a[i + 1] - b[i + 1];
        r[i + 2] = a[i + 2] - b[i + 2];
        r[i + 3] = a[i + 3] - b[i + 3];
        r[i + 4] = a[i + 4] - b[i + 4];
        r[i + 5] = a[i + 5] - b[i + 5];
        r[i + 6] = a[i + 6] - b[i + 6];
        r[i + 7] = a[i + 7] - b[i + 7];
    }
    r[32] = a[32] - b[32];
    r[33] = a[33] - b[33];
    r[34] = a[34] - b[34];
    r[35] = a[35] - b[35];
    r[36] = a[36] - b[36];
    r[37] = a[37] - b[37];
    r[38] = a[38] - b[38];

    return 0;
}

/* r = 2^n mod m where n is the number of bits to reduce by.
 * Given m must be 4096 bits, just need to subtract.
 *
 * r  A single precision number.
 * m  A single precision number.
 */
static void sp_4096_mont_norm_39(sp_digit* r, const sp_digit* m)
{
    /* Set r = 2^n - 1. */
    int i;

    for (i = 0; i < 32; i += 8) {
        r[i + 0] = 0x1fffffffffffffL;
        r[i + 1] = 0x1fffffffffffffL;
        r[i + 2] = 0x1fffffffffffffL;
        r[i + 3] = 0x1fffffffffffffL;
        r[i + 4] = 0x1fffffffffffffL;
        r[i + 5] = 0x1fffffffffffffL;
        r[i + 6] = 0x1fffffffffffffL;
        r[i + 7] = 0x1fffffffffffffL;
    }
    r[32] = 0x1fffffffffffffL;
    r[33] = 0x1fffffffffffffL;
    r[34] = 0x1fffffffffffffL;
    r[35] = 0x1fffffffffffffL;
    r[36] = 0x1fffffffffffffL;
    r[37] = 0x1fffffffffffffL;
    r[38] = 0x3ffffffffL;

    /* r = (2^n - 1) mod n */
    (void)sp_4096_sub_39(r, r, m);

    /* Add one so r = 2^n mod m */
    r[0] += 1;
}

/* Compare a with b in constant time.
 *
 * a  A single precision integer.
 * b  A single precision integer.
 * return -ve, 0 or +ve if a is less than, equal to or greater than b
 * respectively.
 */
static sp_digit sp_4096_cmp_39(const sp_digit* a, const sp_digit* b)
{
    sp_digit r = 0;
    int i;

    r |= (a[38] - b[38]) & (0 - (sp_digit)1);
    r |= (a[37] - b[37]) & ~(((sp_digit)0 - r) >> 52);
    r |= (a[36] - b[36]) & ~(((sp_digit)0 - r) >> 52);
    r |= (a[35] - b[35]) & ~(((sp_digit)0 - r) >> 52);
    r |= (a[34] - b[34]) & ~(((sp_digit)0 - r) >> 52);
    r |= (a[33] - b[33]) & ~(((sp_digit)0 - r) >> 52);
    r |= (a[32] - b[32]) & ~(((sp_digit)0 - r) >> 52);
    for (i = 24; i >= 0; i -= 8) {
        r |= (a[i + 7] - b[i + 7]) & ~(((sp_digit)0 - r) >> 52);
        r |= (a[i + 6] - b[i + 6]) & ~(((sp_digit)0 - r) >> 52);
        r |= (a[i + 5] - b[i + 5]) & ~(((sp_digit)0 - r) >> 52);
        r |= (a[i + 4] - b[i + 4]) & ~(((sp_digit)0 - r) >> 52);
        r |= (a[i + 3] - b[i + 3]) & ~(((sp_digit)0 - r) >> 52);
        r |= (a[i + 2] - b[i + 2]) & ~(((sp_digit)0 - r) >> 52);
        r |= (a[i + 1] - b[i + 1]) & ~(((sp_digit)0 - r) >> 52);
        r |= (a[i + 0] - b[i + 0]) & ~(((sp_digit)0 - r) >> 52);
    }

    return r;
}

/* Conditionally subtract b from a using the mask m.
 * m is -1 to subtract and 0 when not.
 *
 * r  A single precision number representing condition subtract result.
 * a  A single precision number to subtract from.
 * b  A single precision number to subtract.
 * m  Mask value to apply.
 */
static void sp_4096_cond_sub_39(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 32; i += 8) {
        r[i + 0] = a[i + 0] - (b[i + 0] & m);
        r[i + 1] = a[i + 1] - (b[i + 1] & m);
        r[i + 2] = a[i + 2] - (b[i + 2] & m);
        r[i + 3] = a[i + 3] - (b[i + 3] & m);
        r[i + 4] = a[i + 4] - (b[i + 4] & m);
        r[i + 5] = a[i + 5] - (b[i + 5] & m);
        r[i + 6] = a[i + 6] - (b[i + 6] & m);
        r[i + 7] = a[i + 7] - (b[i + 7] & m);
    }
    r[32] = a[32] - (b[32] & m);
    r[33] = a[33] - (b[33] & m);
    r[34] = a[34] - (b[34] & m);
    r[35] = a[35] - (b[35] & m);
    r[36] = a[36] - (b[36] & m);
    r[37] = a[37] - (b[37] & m);
    r[38] = a[38] - (b[38] & m);
}

/* Mul a by scalar b and add into r. (r += a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_4096_mul_add_39(sp_digit* r, const sp_digit* a,
        const sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t[8];
    int i;

    t[0] = tb * a[0]; r[0] += (sp_digit)(t[0] & 0x1fffffffffffffL);
    for (i = 0; i < 32; i += 8) {
        t[1] = tb * a[i+1];
        r[i+1] += (sp_digit)((t[0] >> 53) + (t[1] & 0x1fffffffffffffL));
        t[2] = tb * a[i+2];
        r[i+2] += (sp_digit)((t[1] >> 53) + (t[2] & 0x1fffffffffffffL));
        t[3] = tb * a[i+3];
        r[i+3] += (sp_digit)((t[2] >> 53) + (t[3] & 0x1fffffffffffffL));
        t[4] = tb * a[i+4];
        r[i+4] += (sp_digit)((t[3] >> 53) + (t[4] & 0x1fffffffffffffL));
        t[5] = tb * a[i+5];
        r[i+5] += (sp_digit)((t[4] >> 53) + (t[5] & 0x1fffffffffffffL));
        t[6] = tb * a[i+6];
        r[i+6] += (sp_digit)((t[5] >> 53) + (t[6] & 0x1fffffffffffffL));
        t[7] = tb * a[i+7];
        r[i+7] += (sp_digit)((t[6] >> 53) + (t[7] & 0x1fffffffffffffL));
        t[0] = tb * a[i+8];
        r[i+8] += (sp_digit)((t[7] >> 53) + (t[0] & 0x1fffffffffffffL));
    }
    t[1] = tb * a[33];
    r[33] += (sp_digit)((t[0] >> 53) + (t[1] & 0x1fffffffffffffL));
    t[2] = tb * a[34];
    r[34] += (sp_digit)((t[1] >> 53) + (t[2] & 0x1fffffffffffffL));
    t[3] = tb * a[35];
    r[35] += (sp_digit)((t[2] >> 53) + (t[3] & 0x1fffffffffffffL));
    t[4] = tb * a[36];
    r[36] += (sp_digit)((t[3] >> 53) + (t[4] & 0x1fffffffffffffL));
    t[5] = tb * a[37];
    r[37] += (sp_digit)((t[4] >> 53) + (t[5] & 0x1fffffffffffffL));
    t[6] = tb * a[38];
    r[38] += (sp_digit)((t[5] >> 53) + (t[6] & 0x1fffffffffffffL));
    r[39] +=  (sp_digit)(t[6] >> 53);
}

/* Shift the result in the high 2048 bits down to the bottom.
 *
 * r  A single precision number.
 * a  A single precision number.
 */
static void sp_4096_mont_shift_39(sp_digit* r, const sp_digit* a)
{
    int i;
    sp_int128 n = a[38] >> 34;
    n += ((sp_int128)a[39]) << 19;
    for (i = 0; i < 32; i += 8) {
        r[i + 0] = n & 0x1fffffffffffffL;
        n >>= 53; n += ((sp_int128)a[i + 40]) << 19;
        r[i + 1] = n & 0x1fffffffffffffL;
        n >>= 53; n += ((sp_int128)a[i + 41]) << 19;
        r[i + 2] = n & 0x1fffffffffffffL;
        n >>= 53; n += ((sp_int128)a[i + 42]) << 19;
        r[i + 3] = n & 0x1fffffffffffffL;
        n >>= 53; n += ((sp_int128)a[i + 43]) << 19;
        r[i + 4] = n & 0x1fffffffffffffL;
        n >>= 53; n += ((sp_int128)a[i + 44]) << 19;
        r[i + 5] = n & 0x1fffffffffffffL;
        n >>= 53; n += ((sp_int128)a[i + 45]) << 19;
        r[i + 6] = n & 0x1fffffffffffffL;
        n >>= 53; n += ((sp_int128)a[i + 46]) << 19;
        r[i + 7] = n & 0x1fffffffffffffL;
        n >>= 53; n += ((sp_int128)a[i + 47]) << 19;
    }
    r[32] = n & 0x1fffffffffffffL; n >>= 53; n += ((sp_int128)a[72]) << 19;
    r[33] = n & 0x1fffffffffffffL; n >>= 53; n += ((sp_int128)a[73]) << 19;
    r[34] = n & 0x1fffffffffffffL; n >>= 53; n += ((sp_int128)a[74]) << 19;
    r[35] = n & 0x1fffffffffffffL; n >>= 53; n += ((sp_int128)a[75]) << 19;
    r[36] = n & 0x1fffffffffffffL; n >>= 53; n += ((sp_int128)a[76]) << 19;
    r[37] = n & 0x1fffffffffffffL; n >>= 53; n += ((sp_int128)a[77]) << 19;
    r[38] = (sp_digit)n;
    XMEMSET(&r[39], 0, sizeof(*r) * 39U);
}

/* Reduce the number back to 4096 bits using Montgomery reduction.
 *
 * a   A single precision number to reduce in place.
 * m   The single precision number representing the modulus.
 * mp  The digit representing the negative inverse of m mod 2^n.
 */
static void sp_4096_mont_reduce_39(sp_digit* a, const sp_digit* m, sp_digit mp)
{
    int i;
    sp_digit mu;
    sp_digit over;

    sp_4096_norm_39(a + 39);

    for (i=0; i<38; i++) {
        mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x1fffffffffffffL;
        sp_4096_mul_add_39(a+i, m, mu);
        a[i+1] += a[i] >> 53;
    }
    mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x3ffffffffL;
    sp_4096_mul_add_39(a+i, m, mu);
    a[i+1] += a[i] >> 53;
    a[i] &= 0x1fffffffffffffL;
    sp_4096_mont_shift_39(a, a);
    over = a[38] - m[38];
    sp_4096_cond_sub_39(a, a, m, ~((over - 1) >> 63));
    sp_4096_norm_39(a);
}

/* Multiply two Montgomery form numbers mod the modulus (prime).
 * (r = a * b mod m)
 *
 * r   Result of multiplication.
 * a   First number to multiply in Montgomery form.
 * b   Second number to multiply in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_4096_mont_mul_39(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit* m, sp_digit mp)
{
    sp_4096_mul_39(r, a, b);
    sp_4096_mont_reduce_39(r, m, mp);
}

/* Square the Montgomery form number. (r = a * a mod m)
 *
 * r   Result of squaring.
 * a   Number to square in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_4096_mont_sqr_39(sp_digit* r, const sp_digit* a,
        const sp_digit* m, sp_digit mp)
{
    sp_4096_sqr_39(r, a);
    sp_4096_mont_reduce_39(r, m, mp);
}

/* Multiply a by scalar b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_4096_mul_d_39(sp_digit* r, const sp_digit* a,
    sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t = 0;
    sp_digit t2;
    sp_int128 p[4];
    int i;

    for (i = 0; i < 36; i += 4) {
        p[0] = tb * a[i + 0];
        p[1] = tb * a[i + 1];
        p[2] = tb * a[i + 2];
        p[3] = tb * a[i + 3];
        t += p[0];
        t2 = (sp_digit)(t & 0x1fffffffffffffL);
        t >>= 53;
        r[i + 0] = (sp_digit)t2;
        t += p[1];
        t2 = (sp_digit)(t & 0x1fffffffffffffL);
        t >>= 53;
        r[i + 1] = (sp_digit)t2;
        t += p[2];
        t2 = (sp_digit)(t & 0x1fffffffffffffL);
        t >>= 53;
        r[i + 2] = (sp_digit)t2;
        t += p[3];
        t2 = (sp_digit)(t & 0x1fffffffffffffL);
        t >>= 53;
        r[i + 3] = (sp_digit)t2;
    }
    t += tb * a[36];
    r[36] = (sp_digit)(t & 0x1fffffffffffffL);
    t >>= 53;
    t += tb * a[37];
    r[37] = (sp_digit)(t & 0x1fffffffffffffL);
    t >>= 53;
    t += tb * a[38];
    r[38] = (sp_digit)(t & 0x1fffffffffffffL);
    t >>= 53;
    r[39] = (sp_digit)(t & 0x1fffffffffffffL);
}

#ifndef WOLFSSL_SP_SMALL
/* Conditionally add a and b using the mask m.
 * m is -1 to add and 0 when not.
 *
 * r  A single precision number representing conditional add result.
 * a  A single precision number to add with.
 * b  A single precision number to add.
 * m  Mask value to apply.
 */
static void sp_4096_cond_add_39(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 32; i += 8) {
        r[i + 0] = a[i + 0] + (b[i + 0] & m);
        r[i + 1] = a[i + 1] + (b[i + 1] & m);
        r[i + 2] = a[i + 2] + (b[i + 2] & m);
        r[i + 3] = a[i + 3] + (b[i + 3] & m);
        r[i + 4] = a[i + 4] + (b[i + 4] & m);
        r[i + 5] = a[i + 5] + (b[i + 5] & m);
        r[i + 6] = a[i + 6] + (b[i + 6] & m);
        r[i + 7] = a[i + 7] + (b[i + 7] & m);
    }
    r[32] = a[32] + (b[32] & m);
    r[33] = a[33] + (b[33] & m);
    r[34] = a[34] + (b[34] & m);
    r[35] = a[35] + (b[35] & m);
    r[36] = a[36] + (b[36] & m);
    r[37] = a[37] + (b[37] & m);
    r[38] = a[38] + (b[38] & m);
}
#endif /* !WOLFSSL_SP_SMALL */

SP_NOINLINE static void sp_4096_rshift_39(sp_digit* r, const sp_digit* a,
        byte n)
{
    int i;

    for (i=0; i<32; i += 8) {
        r[i+0] = (a[i+0] >> n) | ((a[i+1] << (53 - n)) & 0x1fffffffffffffL);
        r[i+1] = (a[i+1] >> n) | ((a[i+2] << (53 - n)) & 0x1fffffffffffffL);
        r[i+2] = (a[i+2] >> n) | ((a[i+3] << (53 - n)) & 0x1fffffffffffffL);
        r[i+3] = (a[i+3] >> n) | ((a[i+4] << (53 - n)) & 0x1fffffffffffffL);
        r[i+4] = (a[i+4] >> n) | ((a[i+5] << (53 - n)) & 0x1fffffffffffffL);
        r[i+5] = (a[i+5] >> n) | ((a[i+6] << (53 - n)) & 0x1fffffffffffffL);
        r[i+6] = (a[i+6] >> n) | ((a[i+7] << (53 - n)) & 0x1fffffffffffffL);
        r[i+7] = (a[i+7] >> n) | ((a[i+8] << (53 - n)) & 0x1fffffffffffffL);
    }
    r[32] = (a[32] >> n) | ((a[33] << (53 - n)) & 0x1fffffffffffffL);
    r[33] = (a[33] >> n) | ((a[34] << (53 - n)) & 0x1fffffffffffffL);
    r[34] = (a[34] >> n) | ((a[35] << (53 - n)) & 0x1fffffffffffffL);
    r[35] = (a[35] >> n) | ((a[36] << (53 - n)) & 0x1fffffffffffffL);
    r[36] = (a[36] >> n) | ((a[37] << (53 - n)) & 0x1fffffffffffffL);
    r[37] = (a[37] >> n) | ((a[38] << (53 - n)) & 0x1fffffffffffffL);
    r[38] = a[38] >> n;
}

static WC_INLINE sp_digit sp_4096_div_word_39(sp_digit d1, sp_digit d0,
    sp_digit div)
{
#ifdef SP_USE_DIVTI3
    sp_int128 d = ((sp_int128)d1 << 53) + d0;

    return d / div;
#elif defined(__x86_64__) || defined(__i386__)
    sp_int128 d = ((sp_int128)d1 << 53) + d0;
    sp_uint64 lo = (sp_uint64)d;
    sp_digit hi = (sp_digit)(d >> 64);

    __asm__ __volatile__ (
        "idiv %2"
        : "+a" (lo)
        : "d" (hi), "r" (div)
        : "cc"
    );

    return (sp_digit)lo;
#elif !defined(__aarch64__) &&  !defined(SP_DIV_WORD_USE_DIV)
    sp_int128 d = ((sp_int128)d1 << 53) + d0;
    sp_digit dv = (div >> 1) + 1;
    sp_digit t1 = (sp_digit)(d >> 53);
    sp_digit t0 = (sp_digit)(d & 0x1fffffffffffffL);
    sp_digit t2;
    sp_digit sign;
    sp_digit r;
    int i;
    sp_int128 m;

    r = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
    t1 -= dv & (0 - r);
    for (i = 51; i >= 1; i--) {
        t1 += t1 + (((sp_uint64)t0 >> 52) & 1);
        t0 <<= 1;
        t2 = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
        r += r + t2;
        t1 -= dv & (0 - t2);
        t1 += t2;
    }
    r += r + 1;

    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 53);
    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 106) - (sp_digit)(d >> 106);

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;
   return r;
#else
    sp_int128 d = ((sp_int128)d1 << 53) + d0;
    sp_digit r = 0;
    sp_digit t;
    sp_digit dv = (div >> 22) + 1;

    t = (sp_digit)(d >> 44);
    t = (t / dv) << 22;
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)(d >> 13);
    t = t / (dv << 9);
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)d;
    t = t / div;
    r += t;
    d -= (sp_int128)t * div;
    return r;
#endif
}
static WC_INLINE sp_digit sp_4096_word_div_word_39(sp_digit d, sp_digit div)
{
#if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__) || \
    defined(SP_DIV_WORD_USE_DIV)
    return d / div;
#else
    return (sp_digit)((sp_uint64)(div - d) >> 63);
#endif
}
/* Divide d in a and put remainder into r (m*d + r = a)
 * m is not calculated as it is not needed at this time.
 *
 * Full implementation.
 *
 * a  Number to be divided.
 * d  Number to divide with.
 * m  Multiplier result.
 * r  Remainder from the division.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_4096_div_39(const sp_digit* a, const sp_digit* d,
        const sp_digit* m, sp_digit* r)
{
    int i;
#ifndef WOLFSSL_SP_DIV_64
#endif
    sp_digit dv;
    sp_digit r1;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* t1 = NULL;
#else
    sp_digit t1[4 * 39 + 3];
#endif
    sp_digit* t2 = NULL;
    sp_digit* sd = NULL;
    int err = MP_OKAY;

    (void)m;

#ifdef WOLFSSL_SP_SMALL_STACK
    t1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * (4 * 39 + 3), NULL,
                                                       DYNAMIC_TYPE_TMP_BUFFER);
    if (t1 == NULL)
        err = MEMORY_E;
#endif

    (void)m;

    if (err == MP_OKAY) {
        t2 = t1 + 78 + 1;
        sd = t2 + 39 + 1;

        sp_4096_mul_d_39(sd, d, (sp_digit)1 << 19);
        sp_4096_mul_d_78(t1, a, (sp_digit)1 << 19);
        dv = sd[38];
        t1[39 + 39] += t1[39 + 39 - 1] >> 53;
        t1[39 + 39 - 1] &= 0x1fffffffffffffL;
        for (i=39; i>=0; i--) {
            r1 = sp_4096_div_word_39(t1[39 + i], t1[39 + i - 1], dv);

            sp_4096_mul_d_39(t2, sd, r1);
            (void)sp_4096_sub_39(&t1[i], &t1[i], t2);
            sp_4096_norm_39(&t1[i]);
            t1[39 + i] -= t2[39];
            t1[39 + i] += t1[39 + i - 1] >> 53;
            t1[39 + i - 1] &= 0x1fffffffffffffL;
            r1 = sp_4096_div_word_39(-t1[39 + i], -t1[39 + i - 1], dv);
            r1 -= t1[39 + i];
            sp_4096_mul_d_39(t2, sd, r1);
            (void)sp_4096_add_39(&t1[i], &t1[i], t2);
            t1[39 + i] += t1[39 + i - 1] >> 53;
            t1[39 + i - 1] &= 0x1fffffffffffffL;
        }
        t1[39 - 1] += t1[39 - 2] >> 53;
        t1[39 - 2] &= 0x1fffffffffffffL;
        r1 = sp_4096_word_div_word_39(t1[39 - 1], dv);

        sp_4096_mul_d_39(t2, sd, r1);
        sp_4096_sub_39(t1, t1, t2);
        XMEMCPY(r, t1, sizeof(*r) * 78U);
        for (i=0; i<38; i++) {
            r[i+1] += r[i] >> 53;
            r[i] &= 0x1fffffffffffffL;
        }
        sp_4096_cond_add_39(r, r, sd, r[38] >> 63);

        sp_4096_norm_39(r);
        sp_4096_rshift_39(r, r, 19);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t1 != NULL)
        XFREE(t1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
}

/* Reduce a modulo m into r. (r = a mod m)
 *
 * r  A single precision number that is the reduced result.
 * a  A single precision number that is to be reduced.
 * m  A single precision number that is the modulus to reduce with.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_4096_mod_39(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    return sp_4096_div_39(a, m, NULL, r);
}

/* Modular exponentiate a to the e mod m. (r = a^e mod m)
 *
 * r     A single precision number that is the result of the operation.
 * a     A single precision number being exponentiated.
 * e     A single precision number that is the exponent.
 * bits  The number of bits in the exponent.
 * m     A single precision number that is the modulus.
 * returns  0 on success.
 * returns  MEMORY_E on dynamic memory allocation failure.
 * returns  MP_VAL when base is even or exponent is 0.
 */
static int sp_4096_mod_exp_39(sp_digit* r, const sp_digit* a, const sp_digit* e,
    int bits, const sp_digit* m, int reduceA)
{
#if defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_FAST_MODEXP)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 78];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 39 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 39 * 2);
            XMEMSET(t[i], 0, sizeof(sp_digit) * 39U * 2U);
        }

        sp_4096_mont_setup(m, &mp);
        sp_4096_mont_norm_39(norm, m);

        if (reduceA != 0) {
            err = sp_4096_mod_39(t[1], a, m);
        }
        else {
            XMEMCPY(t[1], a, sizeof(sp_digit) * 39U);
        }
    }
    if (err == MP_OKAY) {
        sp_4096_mul_39(t[1], t[1], norm);
        err = sp_4096_mod_39(t[1], t[1], m);
    }

    if (err == MP_OKAY) {
        i = bits / 53;
        c = bits % 53;
        n = e[i--] << (53 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 53;
            }

            y = (int)((n >> 52) & 1);
            n <<= 1;

            sp_4096_mont_mul_39(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 39 * 2);
            sp_4096_mont_sqr_39(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 39 * 2);
        }

        sp_4096_mont_reduce_39(t[0], m, mp);
        n = sp_4096_cmp_39(t[0], m);
        sp_4096_cond_sub_39(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 39 * 2);

    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#elif !defined(WC_NO_CACHE_RESISTANT)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 78];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 39 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 39 * 2);
        }

        sp_4096_mont_setup(m, &mp);
        sp_4096_mont_norm_39(norm, m);

        if (reduceA != 0) {
            err = sp_4096_mod_39(t[1], a, m);
            if (err == MP_OKAY) {
                sp_4096_mul_39(t[1], t[1], norm);
                err = sp_4096_mod_39(t[1], t[1], m);
            }
        }
        else {
            sp_4096_mul_39(t[1], a, norm);
            err = sp_4096_mod_39(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        i = bits / 53;
        c = bits % 53;
        n = e[i--] << (53 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 53;
            }

            y = (int)((n >> 52) & 1);
            n <<= 1;

            sp_4096_mont_mul_39(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 39 * 2);
            sp_4096_mont_sqr_39(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 39 * 2);
        }

        sp_4096_mont_reduce_39(t[0], m, mp);
        n = sp_4096_cmp_39(t[0], m);
        sp_4096_cond_sub_39(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 39 * 2);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[(32 * 78) + 78];
#endif
    sp_digit* t[32];
    sp_digit* rt = NULL;
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * ((32 * 78) + 78), NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<32; i++)
            t[i] = td + i * 78;
        rt = td + 2496;

        sp_4096_mont_setup(m, &mp);
        sp_4096_mont_norm_39(norm, m);

        if (reduceA != 0) {
            err = sp_4096_mod_39(t[1], a, m);
            if (err == MP_OKAY) {
                sp_4096_mul_39(t[1], t[1], norm);
                err = sp_4096_mod_39(t[1], t[1], m);
            }
        }
        else {
            sp_4096_mul_39(t[1], a, norm);
            err = sp_4096_mod_39(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        sp_4096_mont_sqr_39(t[ 2], t[ 1], m, mp);
        sp_4096_mont_mul_39(t[ 3], t[ 2], t[ 1], m, mp);
        sp_4096_mont_sqr_39(t[ 4], t[ 2], m, mp);
        sp_4096_mont_mul_39(t[ 5], t[ 3], t[ 2], m, mp);
        sp_4096_mont_sqr_39(t[ 6], t[ 3], m, mp);
        sp_4096_mont_mul_39(t[ 7], t[ 4], t[ 3], m, mp);
        sp_4096_mont_sqr_39(t[ 8], t[ 4], m, mp);
        sp_4096_mont_mul_39(t[ 9], t[ 5], t[ 4], m, mp);
        sp_4096_mont_sqr_39(t[10], t[ 5], m, mp);
        sp_4096_mont_mul_39(t[11], t[ 6], t[ 5], m, mp);
        sp_4096_mont_sqr_39(t[12], t[ 6], m, mp);
        sp_4096_mont_mul_39(t[13], t[ 7], t[ 6], m, mp);
        sp_4096_mont_sqr_39(t[14], t[ 7], m, mp);
        sp_4096_mont_mul_39(t[15], t[ 8], t[ 7], m, mp);
        sp_4096_mont_sqr_39(t[16], t[ 8], m, mp);
        sp_4096_mont_mul_39(t[17], t[ 9], t[ 8], m, mp);
        sp_4096_mont_sqr_39(t[18], t[ 9], m, mp);
        sp_4096_mont_mul_39(t[19], t[10], t[ 9], m, mp);
        sp_4096_mont_sqr_39(t[20], t[10], m, mp);
        sp_4096_mont_mul_39(t[21], t[11], t[10], m, mp);
        sp_4096_mont_sqr_39(t[22], t[11], m, mp);
        sp_4096_mont_mul_39(t[23], t[12], t[11], m, mp);
        sp_4096_mont_sqr_39(t[24], t[12], m, mp);
        sp_4096_mont_mul_39(t[25], t[13], t[12], m, mp);
        sp_4096_mont_sqr_39(t[26], t[13], m, mp);
        sp_4096_mont_mul_39(t[27], t[14], t[13], m, mp);
        sp_4096_mont_sqr_39(t[28], t[14], m, mp);
        sp_4096_mont_mul_39(t[29], t[15], t[14], m, mp);
        sp_4096_mont_sqr_39(t[30], t[15], m, mp);
        sp_4096_mont_mul_39(t[31], t[16], t[15], m, mp);

        bits = ((bits + 4) / 5) * 5;
        i = ((bits + 52) / 53) - 1;
        c = bits % 53;
        if (c == 0) {
            c = 53;
        }
        if (i < 39) {
            n = e[i--] << (64 - c);
        }
        else {
            n = 0;
            i--;
        }
        if (c < 5) {
            n |= e[i--] << (11 - c);
            c += 53;
        }
        y = (int)((n >> 59) & 0x1f);
        n <<= 5;
        c -= 5;
        XMEMCPY(rt, t[y], sizeof(sp_digit) * 78);
        while ((i >= 0) || (c >= 5)) {
            if (c >= 5) {
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c -= 5;
            }
            else if (c == 0) {
                n = e[i--] << 11;
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c = 48;
            }
            else {
                y = (byte)((n >> 59) & 0x1f);
                n = e[i--] << 11;
                c = 5 - c;
                y |= (byte)((n >> (64 - c)) & ((1 << c) - 1));
                n <<= c;
                c = 53 - c;
            }

            sp_4096_mont_sqr_39(rt, rt, m, mp);
            sp_4096_mont_sqr_39(rt, rt, m, mp);
            sp_4096_mont_sqr_39(rt, rt, m, mp);
            sp_4096_mont_sqr_39(rt, rt, m, mp);
            sp_4096_mont_sqr_39(rt, rt, m, mp);

            sp_4096_mont_mul_39(rt, rt, t[y], m, mp);
        }

        sp_4096_mont_reduce_39(rt, m, mp);
        n = sp_4096_cmp_39(rt, m);
        sp_4096_cond_sub_39(rt, rt, m, ~(n >> 63));
        XMEMCPY(r, rt, sizeof(sp_digit) * 78);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#endif
}

#endif /* WOLFSSL_HAVE_SP_RSA & !SP_RSA_PRIVATE_EXP_D */
#endif /* (WOLFSSL_HAVE_SP_RSA | WOLFSSL_HAVE_SP_DH) & !WOLFSSL_RSA_PUBLIC_ONLY */

/* r = 2^n mod m where n is the number of bits to reduce by.
 * Given m must be 4096 bits, just need to subtract.
 *
 * r  A single precision number.
 * m  A single precision number.
 */
static void sp_4096_mont_norm_78(sp_digit* r, const sp_digit* m)
{
    /* Set r = 2^n - 1. */
    int i;

    for (i = 0; i < 72; i += 8) {
        r[i + 0] = 0x1fffffffffffffL;
        r[i + 1] = 0x1fffffffffffffL;
        r[i + 2] = 0x1fffffffffffffL;
        r[i + 3] = 0x1fffffffffffffL;
        r[i + 4] = 0x1fffffffffffffL;
        r[i + 5] = 0x1fffffffffffffL;
        r[i + 6] = 0x1fffffffffffffL;
        r[i + 7] = 0x1fffffffffffffL;
    }
    r[72] = 0x1fffffffffffffL;
    r[73] = 0x1fffffffffffffL;
    r[74] = 0x1fffffffffffffL;
    r[75] = 0x1fffffffffffffL;
    r[76] = 0x1fffffffffffffL;
    r[77] = 0x7fffL;

    /* r = (2^n - 1) mod n */
    (void)sp_4096_sub_78(r, r, m);

    /* Add one so r = 2^n mod m */
    r[0] += 1;
}

/* Compare a with b in constant time.
 *
 * a  A single precision integer.
 * b  A single precision integer.
 * return -ve, 0 or +ve if a is less than, equal to or greater than b
 * respectively.
 */
static sp_digit sp_4096_cmp_78(const sp_digit* a, const sp_digit* b)
{
    sp_digit r = 0;
    int i;

    r |= (a[77] - b[77]) & (0 - (sp_digit)1);
    r |= (a[76] - b[76]) & ~(((sp_digit)0 - r) >> 52);
    r |= (a[75] - b[75]) & ~(((sp_digit)0 - r) >> 52);
    r |= (a[74] - b[74]) & ~(((sp_digit)0 - r) >> 52);
    r |= (a[73] - b[73]) & ~(((sp_digit)0 - r) >> 52);
    r |= (a[72] - b[72]) & ~(((sp_digit)0 - r) >> 52);
    for (i = 64; i >= 0; i -= 8) {
        r |= (a[i + 7] - b[i + 7]) & ~(((sp_digit)0 - r) >> 52);
        r |= (a[i + 6] - b[i + 6]) & ~(((sp_digit)0 - r) >> 52);
        r |= (a[i + 5] - b[i + 5]) & ~(((sp_digit)0 - r) >> 52);
        r |= (a[i + 4] - b[i + 4]) & ~(((sp_digit)0 - r) >> 52);
        r |= (a[i + 3] - b[i + 3]) & ~(((sp_digit)0 - r) >> 52);
        r |= (a[i + 2] - b[i + 2]) & ~(((sp_digit)0 - r) >> 52);
        r |= (a[i + 1] - b[i + 1]) & ~(((sp_digit)0 - r) >> 52);
        r |= (a[i + 0] - b[i + 0]) & ~(((sp_digit)0 - r) >> 52);
    }

    return r;
}

/* Conditionally subtract b from a using the mask m.
 * m is -1 to subtract and 0 when not.
 *
 * r  A single precision number representing condition subtract result.
 * a  A single precision number to subtract from.
 * b  A single precision number to subtract.
 * m  Mask value to apply.
 */
static void sp_4096_cond_sub_78(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 72; i += 8) {
        r[i + 0] = a[i + 0] - (b[i + 0] & m);
        r[i + 1] = a[i + 1] - (b[i + 1] & m);
        r[i + 2] = a[i + 2] - (b[i + 2] & m);
        r[i + 3] = a[i + 3] - (b[i + 3] & m);
        r[i + 4] = a[i + 4] - (b[i + 4] & m);
        r[i + 5] = a[i + 5] - (b[i + 5] & m);
        r[i + 6] = a[i + 6] - (b[i + 6] & m);
        r[i + 7] = a[i + 7] - (b[i + 7] & m);
    }
    r[72] = a[72] - (b[72] & m);
    r[73] = a[73] - (b[73] & m);
    r[74] = a[74] - (b[74] & m);
    r[75] = a[75] - (b[75] & m);
    r[76] = a[76] - (b[76] & m);
    r[77] = a[77] - (b[77] & m);
}

/* Mul a by scalar b and add into r. (r += a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_4096_mul_add_78(sp_digit* r, const sp_digit* a,
        const sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t[8];
    int i;

    t[0] = tb * a[0]; r[0] += (sp_digit)(t[0] & 0x1fffffffffffffL);
    for (i = 0; i < 72; i += 8) {
        t[1] = tb * a[i+1];
        r[i+1] += (sp_digit)((t[0] >> 53) + (t[1] & 0x1fffffffffffffL));
        t[2] = tb * a[i+2];
        r[i+2] += (sp_digit)((t[1] >> 53) + (t[2] & 0x1fffffffffffffL));
        t[3] = tb * a[i+3];
        r[i+3] += (sp_digit)((t[2] >> 53) + (t[3] & 0x1fffffffffffffL));
        t[4] = tb * a[i+4];
        r[i+4] += (sp_digit)((t[3] >> 53) + (t[4] & 0x1fffffffffffffL));
        t[5] = tb * a[i+5];
        r[i+5] += (sp_digit)((t[4] >> 53) + (t[5] & 0x1fffffffffffffL));
        t[6] = tb * a[i+6];
        r[i+6] += (sp_digit)((t[5] >> 53) + (t[6] & 0x1fffffffffffffL));
        t[7] = tb * a[i+7];
        r[i+7] += (sp_digit)((t[6] >> 53) + (t[7] & 0x1fffffffffffffL));
        t[0] = tb * a[i+8];
        r[i+8] += (sp_digit)((t[7] >> 53) + (t[0] & 0x1fffffffffffffL));
    }
    t[1] = tb * a[73];
    r[73] += (sp_digit)((t[0] >> 53) + (t[1] & 0x1fffffffffffffL));
    t[2] = tb * a[74];
    r[74] += (sp_digit)((t[1] >> 53) + (t[2] & 0x1fffffffffffffL));
    t[3] = tb * a[75];
    r[75] += (sp_digit)((t[2] >> 53) + (t[3] & 0x1fffffffffffffL));
    t[4] = tb * a[76];
    r[76] += (sp_digit)((t[3] >> 53) + (t[4] & 0x1fffffffffffffL));
    t[5] = tb * a[77];
    r[77] += (sp_digit)((t[4] >> 53) + (t[5] & 0x1fffffffffffffL));
    r[78] +=  (sp_digit)(t[5] >> 53);
}

/* Shift the result in the high 4096 bits down to the bottom.
 *
 * r  A single precision number.
 * a  A single precision number.
 */
static void sp_4096_mont_shift_78(sp_digit* r, const sp_digit* a)
{
    int i;
    sp_int128 n = a[77] >> 15;
    n += ((sp_int128)a[78]) << 38;
    for (i = 0; i < 72; i += 8) {
        r[i + 0] = n & 0x1fffffffffffffL;
        n >>= 53; n += ((sp_int128)a[i + 79]) << 38;
        r[i + 1] = n & 0x1fffffffffffffL;
        n >>= 53; n += ((sp_int128)a[i + 80]) << 38;
        r[i + 2] = n & 0x1fffffffffffffL;
        n >>= 53; n += ((sp_int128)a[i + 81]) << 38;
        r[i + 3] = n & 0x1fffffffffffffL;
        n >>= 53; n += ((sp_int128)a[i + 82]) << 38;
        r[i + 4] = n & 0x1fffffffffffffL;
        n >>= 53; n += ((sp_int128)a[i + 83]) << 38;
        r[i + 5] = n & 0x1fffffffffffffL;
        n >>= 53; n += ((sp_int128)a[i + 84]) << 38;
        r[i + 6] = n & 0x1fffffffffffffL;
        n >>= 53; n += ((sp_int128)a[i + 85]) << 38;
        r[i + 7] = n & 0x1fffffffffffffL;
        n >>= 53; n += ((sp_int128)a[i + 86]) << 38;
    }
    r[72] = n & 0x1fffffffffffffL; n >>= 53; n += ((sp_int128)a[151]) << 38;
    r[73] = n & 0x1fffffffffffffL; n >>= 53; n += ((sp_int128)a[152]) << 38;
    r[74] = n & 0x1fffffffffffffL; n >>= 53; n += ((sp_int128)a[153]) << 38;
    r[75] = n & 0x1fffffffffffffL; n >>= 53; n += ((sp_int128)a[154]) << 38;
    r[76] = n & 0x1fffffffffffffL; n >>= 53; n += ((sp_int128)a[155]) << 38;
    r[77] = (sp_digit)n;
    XMEMSET(&r[78], 0, sizeof(*r) * 78U);
}

/* Reduce the number back to 4096 bits using Montgomery reduction.
 *
 * a   A single precision number to reduce in place.
 * m   The single precision number representing the modulus.
 * mp  The digit representing the negative inverse of m mod 2^n.
 */
static void sp_4096_mont_reduce_78(sp_digit* a, const sp_digit* m, sp_digit mp)
{
    int i;
    sp_digit mu;
    sp_digit over;

    sp_4096_norm_78(a + 78);

#ifdef WOLFSSL_SP_DH
    if (mp != 1) {
        for (i=0; i<77; i++) {
            mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x1fffffffffffffL;
            sp_4096_mul_add_78(a+i, m, mu);
            a[i+1] += a[i] >> 53;
        }
        mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x7fffL;
        sp_4096_mul_add_78(a+i, m, mu);
        a[i+1] += a[i] >> 53;
        a[i] &= 0x1fffffffffffffL;
    }
    else {
        for (i=0; i<77; i++) {
            mu = a[i] & 0x1fffffffffffffL;
            sp_4096_mul_add_78(a+i, m, mu);
            a[i+1] += a[i] >> 53;
        }
        mu = a[i] & 0x7fffL;
        sp_4096_mul_add_78(a+i, m, mu);
        a[i+1] += a[i] >> 53;
        a[i] &= 0x1fffffffffffffL;
    }
#else
    for (i=0; i<77; i++) {
        mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x1fffffffffffffL;
        sp_4096_mul_add_78(a+i, m, mu);
        a[i+1] += a[i] >> 53;
    }
    mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x7fffL;
    sp_4096_mul_add_78(a+i, m, mu);
    a[i+1] += a[i] >> 53;
    a[i] &= 0x1fffffffffffffL;
#endif
    sp_4096_mont_shift_78(a, a);
    over = a[77] - m[77];
    sp_4096_cond_sub_78(a, a, m, ~((over - 1) >> 63));
    sp_4096_norm_78(a);
}

/* Multiply two Montgomery form numbers mod the modulus (prime).
 * (r = a * b mod m)
 *
 * r   Result of multiplication.
 * a   First number to multiply in Montgomery form.
 * b   Second number to multiply in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_4096_mont_mul_78(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit* m, sp_digit mp)
{
    sp_4096_mul_78(r, a, b);
    sp_4096_mont_reduce_78(r, m, mp);
}

/* Square the Montgomery form number. (r = a * a mod m)
 *
 * r   Result of squaring.
 * a   Number to square in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_4096_mont_sqr_78(sp_digit* r, const sp_digit* a,
        const sp_digit* m, sp_digit mp)
{
    sp_4096_sqr_78(r, a);
    sp_4096_mont_reduce_78(r, m, mp);
}

/* Multiply a by scalar b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_4096_mul_d_156(sp_digit* r, const sp_digit* a,
    sp_digit b)
{
    sp_int128 tb = b;
    sp_int128 t = 0;
    sp_digit t2;
    sp_int128 p[4];
    int i;

    for (i = 0; i < 156; i += 4) {
        p[0] = tb * a[i + 0];
        p[1] = tb * a[i + 1];
        p[2] = tb * a[i + 2];
        p[3] = tb * a[i + 3];
        t += p[0];
        t2 = (sp_digit)(t & 0x1fffffffffffffL);
        t >>= 53;
        r[i + 0] = (sp_digit)t2;
        t += p[1];
        t2 = (sp_digit)(t & 0x1fffffffffffffL);
        t >>= 53;
        r[i + 1] = (sp_digit)t2;
        t += p[2];
        t2 = (sp_digit)(t & 0x1fffffffffffffL);
        t >>= 53;
        r[i + 2] = (sp_digit)t2;
        t += p[3];
        t2 = (sp_digit)(t & 0x1fffffffffffffL);
        t >>= 53;
        r[i + 3] = (sp_digit)t2;
    }
    r[156] = (sp_digit)(t & 0x1fffffffffffffL);
}

#ifndef WOLFSSL_SP_SMALL
/* Conditionally add a and b using the mask m.
 * m is -1 to add and 0 when not.
 *
 * r  A single precision number representing conditional add result.
 * a  A single precision number to add with.
 * b  A single precision number to add.
 * m  Mask value to apply.
 */
static void sp_4096_cond_add_78(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 72; i += 8) {
        r[i + 0] = a[i + 0] + (b[i + 0] & m);
        r[i + 1] = a[i + 1] + (b[i + 1] & m);
        r[i + 2] = a[i + 2] + (b[i + 2] & m);
        r[i + 3] = a[i + 3] + (b[i + 3] & m);
        r[i + 4] = a[i + 4] + (b[i + 4] & m);
        r[i + 5] = a[i + 5] + (b[i + 5] & m);
        r[i + 6] = a[i + 6] + (b[i + 6] & m);
        r[i + 7] = a[i + 7] + (b[i + 7] & m);
    }
    r[72] = a[72] + (b[72] & m);
    r[73] = a[73] + (b[73] & m);
    r[74] = a[74] + (b[74] & m);
    r[75] = a[75] + (b[75] & m);
    r[76] = a[76] + (b[76] & m);
    r[77] = a[77] + (b[77] & m);
}
#endif /* !WOLFSSL_SP_SMALL */

SP_NOINLINE static void sp_4096_rshift_78(sp_digit* r, const sp_digit* a,
        byte n)
{
    int i;

    for (i=0; i<72; i += 8) {
        r[i+0] = (a[i+0] >> n) | ((a[i+1] << (53 - n)) & 0x1fffffffffffffL);
        r[i+1] = (a[i+1] >> n) | ((a[i+2] << (53 - n)) & 0x1fffffffffffffL);
        r[i+2] = (a[i+2] >> n) | ((a[i+3] << (53 - n)) & 0x1fffffffffffffL);
        r[i+3] = (a[i+3] >> n) | ((a[i+4] << (53 - n)) & 0x1fffffffffffffL);
        r[i+4] = (a[i+4] >> n) | ((a[i+5] << (53 - n)) & 0x1fffffffffffffL);
        r[i+5] = (a[i+5] >> n) | ((a[i+6] << (53 - n)) & 0x1fffffffffffffL);
        r[i+6] = (a[i+6] >> n) | ((a[i+7] << (53 - n)) & 0x1fffffffffffffL);
        r[i+7] = (a[i+7] >> n) | ((a[i+8] << (53 - n)) & 0x1fffffffffffffL);
    }
    r[72] = (a[72] >> n) | ((a[73] << (53 - n)) & 0x1fffffffffffffL);
    r[73] = (a[73] >> n) | ((a[74] << (53 - n)) & 0x1fffffffffffffL);
    r[74] = (a[74] >> n) | ((a[75] << (53 - n)) & 0x1fffffffffffffL);
    r[75] = (a[75] >> n) | ((a[76] << (53 - n)) & 0x1fffffffffffffL);
    r[76] = (a[76] >> n) | ((a[77] << (53 - n)) & 0x1fffffffffffffL);
    r[77] = a[77] >> n;
}

static WC_INLINE sp_digit sp_4096_div_word_78(sp_digit d1, sp_digit d0,
    sp_digit div)
{
#ifdef SP_USE_DIVTI3
    sp_int128 d = ((sp_int128)d1 << 53) + d0;

    return d / div;
#elif defined(__x86_64__) || defined(__i386__)
    sp_int128 d = ((sp_int128)d1 << 53) + d0;
    sp_uint64 lo = (sp_uint64)d;
    sp_digit hi = (sp_digit)(d >> 64);

    __asm__ __volatile__ (
        "idiv %2"
        : "+a" (lo)
        : "d" (hi), "r" (div)
        : "cc"
    );

    return (sp_digit)lo;
#elif !defined(__aarch64__) &&  !defined(SP_DIV_WORD_USE_DIV)
    sp_int128 d = ((sp_int128)d1 << 53) + d0;
    sp_digit dv = (div >> 1) + 1;
    sp_digit t1 = (sp_digit)(d >> 53);
    sp_digit t0 = (sp_digit)(d & 0x1fffffffffffffL);
    sp_digit t2;
    sp_digit sign;
    sp_digit r;
    int i;
    sp_int128 m;

    r = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
    t1 -= dv & (0 - r);
    for (i = 51; i >= 1; i--) {
        t1 += t1 + (((sp_uint64)t0 >> 52) & 1);
        t0 <<= 1;
        t2 = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
        r += r + t2;
        t1 -= dv & (0 - t2);
        t1 += t2;
    }
    r += r + 1;

    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 53);
    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 106) - (sp_digit)(d >> 106);

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;
   return r;
#else
    sp_int128 d = ((sp_int128)d1 << 53) + d0;
    sp_digit r = 0;
    sp_digit t;
    sp_digit dv = (div >> 22) + 1;

    t = (sp_digit)(d >> 44);
    t = (t / dv) << 22;
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)(d >> 13);
    t = t / (dv << 9);
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)d;
    t = t / div;
    r += t;
    d -= (sp_int128)t * div;
    return r;
#endif
}
static WC_INLINE sp_digit sp_4096_word_div_word_78(sp_digit d, sp_digit div)
{
#if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__) || \
    defined(SP_DIV_WORD_USE_DIV)
    return d / div;
#else
    return (sp_digit)((sp_uint64)(div - d) >> 63);
#endif
}
/* Divide d in a and put remainder into r (m*d + r = a)
 * m is not calculated as it is not needed at this time.
 *
 * Full implementation.
 *
 * a  Number to be divided.
 * d  Number to divide with.
 * m  Multiplier result.
 * r  Remainder from the division.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_4096_div_78(const sp_digit* a, const sp_digit* d,
        const sp_digit* m, sp_digit* r)
{
    int i;
#ifndef WOLFSSL_SP_DIV_64
#endif
    sp_digit dv;
    sp_digit r1;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* t1 = NULL;
#else
    sp_digit t1[4 * 78 + 3];
#endif
    sp_digit* t2 = NULL;
    sp_digit* sd = NULL;
    int err = MP_OKAY;

    (void)m;

#ifdef WOLFSSL_SP_SMALL_STACK
    t1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * (4 * 78 + 3), NULL,
                                                       DYNAMIC_TYPE_TMP_BUFFER);
    if (t1 == NULL)
        err = MEMORY_E;
#endif

    (void)m;

    if (err == MP_OKAY) {
        t2 = t1 + 156 + 1;
        sd = t2 + 78 + 1;

        sp_4096_mul_d_78(sd, d, (sp_digit)1 << 38);
        sp_4096_mul_d_156(t1, a, (sp_digit)1 << 38);
        dv = sd[77];
        t1[78 + 78] += t1[78 + 78 - 1] >> 53;
        t1[78 + 78 - 1] &= 0x1fffffffffffffL;
        for (i=78; i>=0; i--) {
            r1 = sp_4096_div_word_78(t1[78 + i], t1[78 + i - 1], dv);

            sp_4096_mul_d_78(t2, sd, r1);
            (void)sp_4096_sub_78(&t1[i], &t1[i], t2);
            sp_4096_norm_78(&t1[i]);
            t1[78 + i] -= t2[78];
            t1[78 + i] += t1[78 + i - 1] >> 53;
            t1[78 + i - 1] &= 0x1fffffffffffffL;
            r1 = sp_4096_div_word_78(-t1[78 + i], -t1[78 + i - 1], dv);
            r1 -= t1[78 + i];
            sp_4096_mul_d_78(t2, sd, r1);
            (void)sp_4096_add_78(&t1[i], &t1[i], t2);
            t1[78 + i] += t1[78 + i - 1] >> 53;
            t1[78 + i - 1] &= 0x1fffffffffffffL;
        }
        t1[78 - 1] += t1[78 - 2] >> 53;
        t1[78 - 2] &= 0x1fffffffffffffL;
        r1 = sp_4096_word_div_word_78(t1[78 - 1], dv);

        sp_4096_mul_d_78(t2, sd, r1);
        sp_4096_sub_78(t1, t1, t2);
        XMEMCPY(r, t1, sizeof(*r) * 156U);
        for (i=0; i<77; i++) {
            r[i+1] += r[i] >> 53;
            r[i] &= 0x1fffffffffffffL;
        }
        sp_4096_cond_add_78(r, r, sd, r[77] >> 63);

        sp_4096_norm_78(r);
        sp_4096_rshift_78(r, r, 38);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t1 != NULL)
        XFREE(t1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
}

/* Reduce a modulo m into r. (r = a mod m)
 *
 * r  A single precision number that is the reduced result.
 * a  A single precision number that is to be reduced.
 * m  A single precision number that is the modulus to reduce with.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_4096_mod_78(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    return sp_4096_div_78(a, m, NULL, r);
}

#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(WOLFSSL_HAVE_SP_DH)
#if (defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || \
                                                     defined(WOLFSSL_HAVE_SP_DH)
/* Modular exponentiate a to the e mod m. (r = a^e mod m)
 *
 * r     A single precision number that is the result of the operation.
 * a     A single precision number being exponentiated.
 * e     A single precision number that is the exponent.
 * bits  The number of bits in the exponent.
 * m     A single precision number that is the modulus.
 * returns  0 on success.
 * returns  MEMORY_E on dynamic memory allocation failure.
 * returns  MP_VAL when base is even or exponent is 0.
 */
static int sp_4096_mod_exp_78(sp_digit* r, const sp_digit* a, const sp_digit* e,
    int bits, const sp_digit* m, int reduceA)
{
#if defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_FAST_MODEXP)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 156];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 78 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 78 * 2);
            XMEMSET(t[i], 0, sizeof(sp_digit) * 78U * 2U);
        }

        sp_4096_mont_setup(m, &mp);
        sp_4096_mont_norm_78(norm, m);

        if (reduceA != 0) {
            err = sp_4096_mod_78(t[1], a, m);
        }
        else {
            XMEMCPY(t[1], a, sizeof(sp_digit) * 78U);
        }
    }
    if (err == MP_OKAY) {
        sp_4096_mul_78(t[1], t[1], norm);
        err = sp_4096_mod_78(t[1], t[1], m);
    }

    if (err == MP_OKAY) {
        i = bits / 53;
        c = bits % 53;
        n = e[i--] << (53 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 53;
            }

            y = (int)((n >> 52) & 1);
            n <<= 1;

            sp_4096_mont_mul_78(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 78 * 2);
            sp_4096_mont_sqr_78(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 78 * 2);
        }

        sp_4096_mont_reduce_78(t[0], m, mp);
        n = sp_4096_cmp_78(t[0], m);
        sp_4096_cond_sub_78(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 78 * 2);

    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#elif !defined(WC_NO_CACHE_RESISTANT)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[3 * 156];
#endif
    sp_digit* t[3] = {0, 0, 0};
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 3 * 78 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<3; i++) {
            t[i] = td + (i * 78 * 2);
        }

        sp_4096_mont_setup(m, &mp);
        sp_4096_mont_norm_78(norm, m);

        if (reduceA != 0) {
            err = sp_4096_mod_78(t[1], a, m);
            if (err == MP_OKAY) {
                sp_4096_mul_78(t[1], t[1], norm);
                err = sp_4096_mod_78(t[1], t[1], m);
            }
        }
        else {
            sp_4096_mul_78(t[1], a, norm);
            err = sp_4096_mod_78(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        i = bits / 53;
        c = bits % 53;
        n = e[i--] << (53 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1) {
                    break;
                }

                n = e[i--];
                c = 53;
            }

            y = (int)((n >> 52) & 1);
            n <<= 1;

            sp_4096_mont_mul_78(t[y^1], t[0], t[1], m, mp);

            XMEMCPY(t[2], (void*)(((size_t)t[0] & addr_mask[y^1]) +
                                  ((size_t)t[1] & addr_mask[y])),
                                  sizeof(*t[2]) * 78 * 2);
            sp_4096_mont_sqr_78(t[2], t[2], m, mp);
            XMEMCPY((void*)(((size_t)t[0] & addr_mask[y^1]) +
                            ((size_t)t[1] & addr_mask[y])), t[2],
                            sizeof(*t[2]) * 78 * 2);
        }

        sp_4096_mont_reduce_78(t[0], m, mp);
        n = sp_4096_cmp_78(t[0], m);
        sp_4096_cond_sub_78(t[0], t[0], m, ~(n >> 63));
        XMEMCPY(r, t[0], sizeof(*r) * 78 * 2);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[(16 * 156) + 156];
#endif
    sp_digit* t[16];
    sp_digit* rt = NULL;
    sp_digit* norm = NULL;
    sp_digit mp = 1;
    sp_digit n;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * ((16 * 156) + 156), NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        for (i=0; i<16; i++)
            t[i] = td + i * 156;
        rt = td + 2496;

        sp_4096_mont_setup(m, &mp);
        sp_4096_mont_norm_78(norm, m);

        if (reduceA != 0) {
            err = sp_4096_mod_78(t[1], a, m);
            if (err == MP_OKAY) {
                sp_4096_mul_78(t[1], t[1], norm);
                err = sp_4096_mod_78(t[1], t[1], m);
            }
        }
        else {
            sp_4096_mul_78(t[1], a, norm);
            err = sp_4096_mod_78(t[1], t[1], m);
        }
    }

    if (err == MP_OKAY) {
        sp_4096_mont_sqr_78(t[ 2], t[ 1], m, mp);
        sp_4096_mont_mul_78(t[ 3], t[ 2], t[ 1], m, mp);
        sp_4096_mont_sqr_78(t[ 4], t[ 2], m, mp);
        sp_4096_mont_mul_78(t[ 5], t[ 3], t[ 2], m, mp);
        sp_4096_mont_sqr_78(t[ 6], t[ 3], m, mp);
        sp_4096_mont_mul_78(t[ 7], t[ 4], t[ 3], m, mp);
        sp_4096_mont_sqr_78(t[ 8], t[ 4], m, mp);
        sp_4096_mont_mul_78(t[ 9], t[ 5], t[ 4], m, mp);
        sp_4096_mont_sqr_78(t[10], t[ 5], m, mp);
        sp_4096_mont_mul_78(t[11], t[ 6], t[ 5], m, mp);
        sp_4096_mont_sqr_78(t[12], t[ 6], m, mp);
        sp_4096_mont_mul_78(t[13], t[ 7], t[ 6], m, mp);
        sp_4096_mont_sqr_78(t[14], t[ 7], m, mp);
        sp_4096_mont_mul_78(t[15], t[ 8], t[ 7], m, mp);

        bits = ((bits + 3) / 4) * 4;
        i = ((bits + 52) / 53) - 1;
        c = bits % 53;
        if (c == 0) {
            c = 53;
        }
        if (i < 78) {
            n = e[i--] << (64 - c);
        }
        else {
            n = 0;
            i--;
        }
        if (c < 4) {
            n |= e[i--] << (11 - c);
            c += 53;
        }
        y = (int)((n >> 60) & 0xf);
        n <<= 4;
        c -= 4;
        XMEMCPY(rt, t[y], sizeof(sp_digit) * 156);
        while ((i >= 0) || (c >= 4)) {
            if (c >= 4) {
                y = (byte)((n >> 60) & 0xf);
                n <<= 4;
                c -= 4;
            }
            else if (c == 0) {
                n = e[i--] << 11;
                y = (byte)((n >> 60) & 0xf);
                n <<= 4;
                c = 49;
            }
            else {
                y = (byte)((n >> 60) & 0xf);
                n = e[i--] << 11;
                c = 4 - c;
                y |= (byte)((n >> (64 - c)) & ((1 << c) - 1));
                n <<= c;
                c = 53 - c;
            }

            sp_4096_mont_sqr_78(rt, rt, m, mp);
            sp_4096_mont_sqr_78(rt, rt, m, mp);
            sp_4096_mont_sqr_78(rt, rt, m, mp);
            sp_4096_mont_sqr_78(rt, rt, m, mp);

            sp_4096_mont_mul_78(rt, rt, t[y], m, mp);
        }

        sp_4096_mont_reduce_78(rt, m, mp);
        n = sp_4096_cmp_78(rt, m);
        sp_4096_cond_sub_78(rt, rt, m, ~(n >> 63));
        XMEMCPY(r, rt, sizeof(sp_digit) * 156);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
#endif
}
#endif /* (WOLFSSL_HAVE_SP_RSA & !WOLFSSL_RSA_PUBLIC_ONLY) || */
       /* WOLFSSL_HAVE_SP_DH */

#endif /* (WOLFSSL_HAVE_SP_RSA && !WOLFSSL_RSA_PUBLIC_ONLY) || WOLFSSL_HAVE_SP_DH */
#ifdef WOLFSSL_HAVE_SP_RSA
/* RSA public key operation.
 *
 * in      Array of bytes representing the number to exponentiate, base.
 * inLen   Number of bytes in base.
 * em      Public exponent.
 * mm      Modulus.
 * out     Buffer to hold big-endian bytes of exponentiation result.
 *         Must be at least 512 bytes long.
 * outLen  Number of bytes in result.
 * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
 * an array is too long and MEMORY_E when dynamic memory allocation fails.
 */
int sp_RsaPublic_4096(const byte* in, word32 inLen, const mp_int* em,
    const mp_int* mm, byte* out, word32* outLen)
{
#ifdef WOLFSSL_SP_SMALL
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* a = NULL;
#else
    sp_digit a[78 * 5];
#endif
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    sp_digit* norm = NULL;
    sp_uint64 e[1] = {0};
    sp_digit mp = 0;
    int i;
    int err = MP_OKAY;

    if (*outLen < 512U) {
        err = MP_TO_E;
    }

    if (err == MP_OKAY) {
        if (mp_count_bits(em) > 64) {
            err = MP_READ_E;
        }
        else if (inLen > 512U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 4096) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        a = (sp_digit*)XMALLOC(sizeof(sp_digit) * 78 * 5, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (a == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        r = a + 78 * 2;
        m = r + 78 * 2;
        norm = r;

        sp_4096_from_bin(a, 78, in, inLen);
#if DIGIT_BIT >= 64
        e[0] = (sp_uint64)em->dp[0];
#else
        e[0] = (sp_uint64)em->dp[0];
        if (em->used > 1) {
            e[0] |= ((sp_uint64)em->dp[1]) << DIGIT_BIT;
        }
#endif
        if (e[0] == 0) {
            err = MP_EXPTMOD_E;
        }
    }

    if (err == MP_OKAY) {
        sp_4096_from_mp(m, 78, mm);

        sp_4096_mont_setup(m, &mp);
        sp_4096_mont_norm_78(norm, m);
    }
    if (err == MP_OKAY) {
        sp_4096_mul_78(a, a, norm);
        err = sp_4096_mod_78(a, a, m);
    }
    if (err == MP_OKAY) {
        for (i=63; i>=0; i--) {
            if ((e[0] >> i) != 0) {
                break;
            }
        }

        XMEMCPY(r, a, sizeof(sp_digit) * 78 * 2);
        for (i--; i>=0; i--) {
            sp_4096_mont_sqr_78(r, r, m, mp);

            if (((e[0] >> i) & 1) == 1) {
                sp_4096_mont_mul_78(r, r, a, m, mp);
            }
        }
        sp_4096_mont_reduce_78(r, m, mp);
        mp = sp_4096_cmp_78(r, m);
        sp_4096_cond_sub_78(r, r, m, ~(mp >> 63));

        sp_4096_to_bin_78(r, out);
        *outLen = 512;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (a != NULL)
        XFREE(a, NULL, DYNAMIC_TYPE_RSA);
#endif

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* d = NULL;
#else
    sp_digit d[78 * 5];
#endif
    sp_digit* a = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    sp_uint64 e[1] = {0};
    int err = MP_OKAY;

    if (*outLen < 512U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (mp_count_bits(em) > 64) {
            err = MP_READ_E;
        }
        else if (inLen > 512U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 4096) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 78 * 5, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (d == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        a = d;
        r = a + 78 * 2;
        m = r + 78 * 2;

        sp_4096_from_bin(a, 78, in, inLen);
#if DIGIT_BIT >= 64
        e[0] = (sp_uint64)em->dp[0];
#else
        e[0] = (sp_uint64)em->dp[0];
        if (em->used > 1) {
            e[0] |= ((sp_uint64)em->dp[1]) << DIGIT_BIT;
        }
#endif
        if (e[0] == 0) {
            err = MP_EXPTMOD_E;
        }
    }
    if (err == MP_OKAY) {
        sp_4096_from_mp(m, 78, mm);

        if (e[0] == 0x3) {
            sp_4096_sqr_78(r, a);
            err = sp_4096_mod_78(r, r, m);
            if (err == MP_OKAY) {
                sp_4096_mul_78(r, a, r);
                err = sp_4096_mod_78(r, r, m);
            }
        }
        else {
            sp_digit* norm = r;
            int i;
            sp_digit mp;

            sp_4096_mont_setup(m, &mp);
            sp_4096_mont_norm_78(norm, m);

            sp_4096_mul_78(a, a, norm);
            err = sp_4096_mod_78(a, a, m);

            if (err == MP_OKAY) {
                for (i=63; i>=0; i--) {
                    if ((e[0] >> i) != 0) {
                        break;
                    }
                }

                XMEMCPY(r, a, sizeof(sp_digit) * 156U);
                for (i--; i>=0; i--) {
                    sp_4096_mont_sqr_78(r, r, m, mp);

                    if (((e[0] >> i) & 1) == 1) {
                        sp_4096_mont_mul_78(r, r, a, m, mp);
                    }
                }
                sp_4096_mont_reduce_78(r, m, mp);
                mp = sp_4096_cmp_78(r, m);
                sp_4096_cond_sub_78(r, r, m, ~(mp >> 63));
            }
        }
    }

    if (err == MP_OKAY) {
        sp_4096_to_bin_78(r, out);
        *outLen = 512;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (d != NULL)
        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
#endif

    return err;
#endif /* WOLFSSL_SP_SMALL */
}

#ifndef WOLFSSL_RSA_PUBLIC_ONLY
#if !defined(SP_RSA_PRIVATE_EXP_D) && !defined(RSA_LOW_MEM)
#endif /* !SP_RSA_PRIVATE_EXP_D & !RSA_LOW_MEM */
/* RSA private key operation.
 *
 * in      Array of bytes representing the number to exponentiate, base.
 * inLen   Number of bytes in base.
 * dm      Private exponent.
 * pm      First prime.
 * qm      Second prime.
 * dpm     First prime's CRT exponent.
 * dqm     Second prime's CRT exponent.
 * qim     Inverse of second prime mod p.
 * mm      Modulus.
 * out     Buffer to hold big-endian bytes of exponentiation result.
 *         Must be at least 512 bytes long.
 * outLen  Number of bytes in result.
 * returns 0 on success, MP_TO_E when the outLen is too small, MP_READ_E when
 * an array is too long and MEMORY_E when dynamic memory allocation fails.
 */
int sp_RsaPrivate_4096(const byte* in, word32 inLen, const mp_int* dm,
    const mp_int* pm, const mp_int* qm, const mp_int* dpm, const mp_int* dqm,
    const mp_int* qim, const mp_int* mm, byte* out, word32* outLen)
{
#if defined(SP_RSA_PRIVATE_EXP_D) || defined(RSA_LOW_MEM)
#if defined(WOLFSSL_SP_SMALL)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* d = NULL;
#else
    sp_digit  d[78 * 4];
#endif
    sp_digit* a = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)pm;
    (void)qm;
    (void)dpm;
    (void)dqm;
    (void)qim;

    if (*outLen < 512U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (mp_count_bits(dm) > 4096) {
           err = MP_READ_E;
        }
        else if (inLen > 512) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 4096) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 78 * 4, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (d == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        a = d + 78;
        m = a + 156;
        r = a;

        sp_4096_from_bin(a, 78, in, inLen);
        sp_4096_from_mp(d, 78, dm);
        sp_4096_from_mp(m, 78, mm);
        err = sp_4096_mod_exp_78(r, a, d, 4096, m, 0);
    }

    if (err == MP_OKAY) {
        sp_4096_to_bin_78(r, out);
        *outLen = 512;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (d != NULL)
#endif
    {
        /* only "a" and "r" are sensitive and need zeroized (same pointer) */
        if (a != NULL)
            ForceZero(a, sizeof(sp_digit) * 78);
#ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
#endif
    }

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* d = NULL;
#else
    sp_digit d[78 * 4];
#endif
    sp_digit* a = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)pm;
    (void)qm;
    (void)dpm;
    (void)dqm;
    (void)qim;

    if (*outLen < 512U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (mp_count_bits(dm) > 4096) {
            err = MP_READ_E;
        }
        else if (inLen > 512U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 4096) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        d = (sp_digit*)XMALLOC(sizeof(sp_digit) * 78 * 4, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (d == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        a = d + 78;
        m = a + 156;
        r = a;

        sp_4096_from_bin(a, 78, in, inLen);
        sp_4096_from_mp(d, 78, dm);
        sp_4096_from_mp(m, 78, mm);
        err = sp_4096_mod_exp_78(r, a, d, 4096, m, 0);
    }

    if (err == MP_OKAY) {
        sp_4096_to_bin_78(r, out);
        *outLen = 512;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (d != NULL)
#endif
    {
        /* only "a" and "r" are sensitive and need zeroized (same pointer) */
        if (a != NULL)
            ForceZero(a, sizeof(sp_digit) * 78);
#ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(d, NULL, DYNAMIC_TYPE_RSA);
#endif
    }

    return err;
#endif /* WOLFSSL_SP_SMALL */
#else
#if defined(WOLFSSL_SP_SMALL)
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* a = NULL;
#else
    sp_digit a[39 * 8];
#endif
    sp_digit* p = NULL;
    sp_digit* dp = NULL;
    sp_digit* dq = NULL;
    sp_digit* qi = NULL;
    sp_digit* tmpa = NULL;
    sp_digit* tmpb = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)dm;
    (void)mm;

    if (*outLen < 512U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (inLen > 512) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 4096) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(pm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(qm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        a = (sp_digit*)XMALLOC(sizeof(sp_digit) * 39 * 8, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (a == NULL)
            err = MEMORY_E;
    }
#endif
    if (err == MP_OKAY) {
        p = a + 78;
        qi = dq = dp = p + 39;
        tmpa = qi + 39;
        tmpb = tmpa + 78;
        r = a;

        sp_4096_from_bin(a, 78, in, inLen);
        sp_4096_from_mp(p, 39, pm);
        sp_4096_from_mp(dp, 39, dpm);
        err = sp_4096_mod_exp_39(tmpa, a, dp, 2048, p, 1);
    }
    if (err == MP_OKAY) {
        sp_4096_from_mp(p, 39, qm);
        sp_4096_from_mp(dq, 39, dqm);
        err = sp_4096_mod_exp_39(tmpb, a, dq, 2048, p, 1);
    }
    if (err == MP_OKAY) {
        sp_4096_from_mp(p, 39, pm);
        (void)sp_4096_sub_39(tmpa, tmpa, tmpb);
        sp_4096_norm_39(tmpa);
        sp_4096_cond_add_39(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[38] >> 63));
        sp_4096_cond_add_39(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[38] >> 63));
        sp_4096_norm_39(tmpa);

        sp_4096_from_mp(qi, 39, qim);
        sp_4096_mul_39(tmpa, tmpa, qi);
        err = sp_4096_mod_39(tmpa, tmpa, p);
    }

    if (err == MP_OKAY) {
        sp_4096_from_mp(p, 39, qm);
        sp_4096_mul_39(tmpa, p, tmpa);
        (void)sp_4096_add_78(r, tmpb, tmpa);
        sp_4096_norm_78(r);

        sp_4096_to_bin_78(r, out);
        *outLen = 512;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (a != NULL)
#endif
    {
        ForceZero(a, sizeof(sp_digit) * 39 * 8);
#ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(a, NULL, DYNAMIC_TYPE_RSA);
#endif
    }

    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* a = NULL;
#else
    sp_digit a[39 * 13];
#endif
    sp_digit* p = NULL;
    sp_digit* q = NULL;
    sp_digit* dp = NULL;
    sp_digit* dq = NULL;
    sp_digit* qi = NULL;
    sp_digit* tmpa = NULL;
    sp_digit* tmpb = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;

    (void)dm;
    (void)mm;

    if (*outLen < 512U) {
        err = MP_TO_E;
    }
    if (err == MP_OKAY) {
        if (inLen > 512U) {
            err = MP_READ_E;
        }
        else if (mp_count_bits(mm) != 4096) {
            err = MP_READ_E;
        }
        else if (mp_iseven(mm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(pm)) {
            err = MP_VAL;
        }
        else if (mp_iseven(qm)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        a = (sp_digit*)XMALLOC(sizeof(sp_digit) * 39 * 13, NULL,
                                                              DYNAMIC_TYPE_RSA);
        if (a == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        p = a + 78 * 2;
        q = p + 39;
        dp = q + 39;
        dq = dp + 39;
        qi = dq + 39;
        tmpa = qi + 39;
        tmpb = tmpa + 78;
        r = a;

        sp_4096_from_bin(a, 78, in, inLen);
        sp_4096_from_mp(p, 39, pm);
        sp_4096_from_mp(q, 39, qm);
        sp_4096_from_mp(dp, 39, dpm);
        sp_4096_from_mp(dq, 39, dqm);
        sp_4096_from_mp(qi, 39, qim);

        err = sp_4096_mod_exp_39(tmpa, a, dp, 2048, p, 1);
    }
    if (err == MP_OKAY) {
        err = sp_4096_mod_exp_39(tmpb, a, dq, 2048, q, 1);
    }

    if (err == MP_OKAY) {
        (void)sp_4096_sub_39(tmpa, tmpa, tmpb);
        sp_4096_norm_39(tmpa);
        sp_4096_cond_add_39(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[38] >> 63));
        sp_4096_cond_add_39(tmpa, tmpa, p, 0 - ((sp_int_digit)tmpa[38] >> 63));
        sp_4096_norm_39(tmpa);
        sp_4096_mul_39(tmpa, tmpa, qi);
        err = sp_4096_mod_39(tmpa, tmpa, p);
    }

    if (err == MP_OKAY) {
        sp_4096_mul_39(tmpa, tmpa, q);
        (void)sp_4096_add_78(r, tmpb, tmpa);
        sp_4096_norm_78(r);

        sp_4096_to_bin_78(r, out);
        *outLen = 512;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
if (a != NULL)
#endif
    {
        ForceZero(a, sizeof(sp_digit) * 39 * 13);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(a, NULL, DYNAMIC_TYPE_RSA);
    #endif
    }

    return err;
#endif /* WOLFSSL_SP_SMALL */
#endif /* SP_RSA_PRIVATE_EXP_D || RSA_LOW_MEM */
}

#endif /* !WOLFSSL_RSA_PUBLIC_ONLY */
#endif /* WOLFSSL_HAVE_SP_RSA */
#if defined(WOLFSSL_HAVE_SP_DH) || (defined(WOLFSSL_HAVE_SP_RSA) && \
                                              !defined(WOLFSSL_RSA_PUBLIC_ONLY))
/* Convert an array of sp_digit to an mp_int.
 *
 * a  A single precision integer.
 * r  A multi-precision integer.
 */
static int sp_4096_to_mp(const sp_digit* a, mp_int* r)
{
    int err;

    err = mp_grow(r, (4096 + DIGIT_BIT - 1) / DIGIT_BIT);
    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
#if DIGIT_BIT == 53
        XMEMCPY(r->dp, a, sizeof(sp_digit) * 78);
        r->used = 78;
        mp_clamp(r);
#elif DIGIT_BIT < 53
        int i;
        int j = 0;
        int s = 0;

        r->dp[0] = 0;
        for (i = 0; i < 78; i++) {
            r->dp[j] |= (mp_digit)(a[i] << s);
            r->dp[j] &= ((sp_digit)1 << DIGIT_BIT) - 1;
            s = DIGIT_BIT - s;
            r->dp[++j] = (mp_digit)(a[i] >> s);
            while (s + DIGIT_BIT <= 53) {
                s += DIGIT_BIT;
                r->dp[j++] &= ((sp_digit)1 << DIGIT_BIT) - 1;
                if (s == SP_WORD_SIZE) {
                    r->dp[j] = 0;
                }
                else {
                    r->dp[j] = (mp_digit)(a[i] >> s);
                }
            }
            s = 53 - s;
        }
        r->used = (4096 + DIGIT_BIT - 1) / DIGIT_BIT;
        mp_clamp(r);
#else
        int i;
        int j = 0;
        int s = 0;

        r->dp[0] = 0;
        for (i = 0; i < 78; i++) {
            r->dp[j] |= ((mp_digit)a[i]) << s;
            if (s + 53 >= DIGIT_BIT) {
    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
                r->dp[j] &= ((sp_digit)1 << DIGIT_BIT) - 1;
    #endif
                s = DIGIT_BIT - s;
                r->dp[++j] = a[i] >> s;
                s = 53 - s;
            }
            else {
                s += 53;
            }
        }
        r->used = (4096 + DIGIT_BIT - 1) / DIGIT_BIT;
        mp_clamp(r);
#endif
    }

    return err;
}

/* Perform the modular exponentiation for Diffie-Hellman.
 *
 * base  Base. MP integer.
 * exp   Exponent. MP integer.
 * mod   Modulus. MP integer.
 * res   Result. MP integer.
 * returns 0 on success, MP_READ_E if there are too many bytes in an array
 * and MEMORY_E if memory allocation fails.
 */
int sp_ModExp_4096(const mp_int* base, const mp_int* exp, const mp_int* mod,
    mp_int* res)
{
#ifdef WOLFSSL_SP_SMALL
    int err = MP_OKAY;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[78 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int expBits = mp_count_bits(exp);

    if (mp_count_bits(base) > 4096) {
        err = MP_READ_E;
    }
    else if (expBits > 4096) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 4096) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 78 * 4, NULL,
            DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 78 * 2;
        m = e + 78;
        r = b;

        sp_4096_from_mp(b, 78, base);
        sp_4096_from_mp(e, 78, exp);
        sp_4096_from_mp(m, 78, mod);

        err = sp_4096_mod_exp_78(r, b, e, mp_count_bits(exp), m, 0);
    }

    if (err == MP_OKAY) {
        err = sp_4096_to_mp(r, res);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 78U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }
    return err;
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[78 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    int err = MP_OKAY;
    int expBits = mp_count_bits(exp);

    if (mp_count_bits(base) > 4096) {
        err = MP_READ_E;
    }
    else if (expBits > 4096) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 4096) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 78 * 4, NULL, DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 78 * 2;
        m = e + 78;
        r = b;

        sp_4096_from_mp(b, 78, base);
        sp_4096_from_mp(e, 78, exp);
        sp_4096_from_mp(m, 78, mod);

        err = sp_4096_mod_exp_78(r, b, e, expBits, m, 0);
    }

    if (err == MP_OKAY) {
        err = sp_4096_to_mp(r, res);
    }


#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 78U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }

    return err;
#endif
}

#ifdef WOLFSSL_HAVE_SP_DH

#ifdef HAVE_FFDHE_4096
SP_NOINLINE static void sp_4096_lshift_78(sp_digit* r, const sp_digit* a,
        byte n)
{
    sp_int_digit s;
    sp_int_digit t;

    s = (sp_int_digit)a[77];
    r[78] = s >> (53U - n);
    s = (sp_int_digit)(a[77]); t = (sp_int_digit)(a[76]);
    r[77] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[76]); t = (sp_int_digit)(a[75]);
    r[76] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[75]); t = (sp_int_digit)(a[74]);
    r[75] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[74]); t = (sp_int_digit)(a[73]);
    r[74] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[73]); t = (sp_int_digit)(a[72]);
    r[73] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[72]); t = (sp_int_digit)(a[71]);
    r[72] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[71]); t = (sp_int_digit)(a[70]);
    r[71] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[70]); t = (sp_int_digit)(a[69]);
    r[70] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[69]); t = (sp_int_digit)(a[68]);
    r[69] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[68]); t = (sp_int_digit)(a[67]);
    r[68] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[67]); t = (sp_int_digit)(a[66]);
    r[67] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[66]); t = (sp_int_digit)(a[65]);
    r[66] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[65]); t = (sp_int_digit)(a[64]);
    r[65] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[64]); t = (sp_int_digit)(a[63]);
    r[64] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[63]); t = (sp_int_digit)(a[62]);
    r[63] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[62]); t = (sp_int_digit)(a[61]);
    r[62] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[61]); t = (sp_int_digit)(a[60]);
    r[61] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[60]); t = (sp_int_digit)(a[59]);
    r[60] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[59]); t = (sp_int_digit)(a[58]);
    r[59] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[58]); t = (sp_int_digit)(a[57]);
    r[58] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[57]); t = (sp_int_digit)(a[56]);
    r[57] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[56]); t = (sp_int_digit)(a[55]);
    r[56] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[55]); t = (sp_int_digit)(a[54]);
    r[55] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[54]); t = (sp_int_digit)(a[53]);
    r[54] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[53]); t = (sp_int_digit)(a[52]);
    r[53] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[52]); t = (sp_int_digit)(a[51]);
    r[52] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[51]); t = (sp_int_digit)(a[50]);
    r[51] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[50]); t = (sp_int_digit)(a[49]);
    r[50] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[49]); t = (sp_int_digit)(a[48]);
    r[49] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[48]); t = (sp_int_digit)(a[47]);
    r[48] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[47]); t = (sp_int_digit)(a[46]);
    r[47] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[46]); t = (sp_int_digit)(a[45]);
    r[46] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[45]); t = (sp_int_digit)(a[44]);
    r[45] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[44]); t = (sp_int_digit)(a[43]);
    r[44] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[43]); t = (sp_int_digit)(a[42]);
    r[43] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[42]); t = (sp_int_digit)(a[41]);
    r[42] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[41]); t = (sp_int_digit)(a[40]);
    r[41] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[40]); t = (sp_int_digit)(a[39]);
    r[40] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[39]); t = (sp_int_digit)(a[38]);
    r[39] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[38]); t = (sp_int_digit)(a[37]);
    r[38] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[37]); t = (sp_int_digit)(a[36]);
    r[37] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[36]); t = (sp_int_digit)(a[35]);
    r[36] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[35]); t = (sp_int_digit)(a[34]);
    r[35] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[34]); t = (sp_int_digit)(a[33]);
    r[34] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[33]); t = (sp_int_digit)(a[32]);
    r[33] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[32]); t = (sp_int_digit)(a[31]);
    r[32] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[31]); t = (sp_int_digit)(a[30]);
    r[31] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[30]); t = (sp_int_digit)(a[29]);
    r[30] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[29]); t = (sp_int_digit)(a[28]);
    r[29] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[28]); t = (sp_int_digit)(a[27]);
    r[28] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[27]); t = (sp_int_digit)(a[26]);
    r[27] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[26]); t = (sp_int_digit)(a[25]);
    r[26] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[25]); t = (sp_int_digit)(a[24]);
    r[25] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[24]); t = (sp_int_digit)(a[23]);
    r[24] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[23]); t = (sp_int_digit)(a[22]);
    r[23] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[22]); t = (sp_int_digit)(a[21]);
    r[22] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[21]); t = (sp_int_digit)(a[20]);
    r[21] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[20]); t = (sp_int_digit)(a[19]);
    r[20] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[19]); t = (sp_int_digit)(a[18]);
    r[19] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[18]); t = (sp_int_digit)(a[17]);
    r[18] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[17]); t = (sp_int_digit)(a[16]);
    r[17] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[16]); t = (sp_int_digit)(a[15]);
    r[16] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[15]); t = (sp_int_digit)(a[14]);
    r[15] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[14]); t = (sp_int_digit)(a[13]);
    r[14] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[13]); t = (sp_int_digit)(a[12]);
    r[13] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[12]); t = (sp_int_digit)(a[11]);
    r[12] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[11]); t = (sp_int_digit)(a[10]);
    r[11] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[10]); t = (sp_int_digit)(a[9]);
    r[10] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[9]); t = (sp_int_digit)(a[8]);
    r[9] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[8]); t = (sp_int_digit)(a[7]);
    r[8] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[7]); t = (sp_int_digit)(a[6]);
    r[7] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[6]); t = (sp_int_digit)(a[5]);
    r[6] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[5]); t = (sp_int_digit)(a[4]);
    r[5] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[4]); t = (sp_int_digit)(a[3]);
    r[4] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[3]); t = (sp_int_digit)(a[2]);
    r[3] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[2]); t = (sp_int_digit)(a[1]);
    r[2] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    s = (sp_int_digit)(a[1]); t = (sp_int_digit)(a[0]);
    r[1] = ((s << n) | (t >> (53U - n))) & 0x1fffffffffffffUL;
    r[0] = (a[0] << n) & 0x1fffffffffffffL;
}

/* Modular exponentiate 2 to the e mod m. (r = 2^e mod m)
 *
 * r     A single precision number that is the result of the operation.
 * e     A single precision number that is the exponent.
 * bits  The number of bits in the exponent.
 * m     A single precision number that is the modulus.
 * returns  0 on success.
 * returns  MEMORY_E on dynamic memory allocation failure.
 * returns  MP_VAL when base is even.
 */
static int sp_4096_mod_exp_2_78(sp_digit* r, const sp_digit* e, int bits, const sp_digit* m)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* td = NULL;
#else
    sp_digit td[235];
#endif
    sp_digit* norm = NULL;
    sp_digit* tmp = NULL;
    sp_digit mp = 1;
    sp_digit n;
    sp_digit o;
    int i;
    int c;
    byte y;
    int err = MP_OKAY;

    if (bits == 0) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 235, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        norm = td;
        tmp  = td + 156;
        XMEMSET(td, 0, sizeof(sp_digit) * 235);

        sp_4096_mont_setup(m, &mp);
        sp_4096_mont_norm_78(norm, m);

        bits = ((bits + 4) / 5) * 5;
        i = ((bits + 52) / 53) - 1;
        c = bits % 53;
        if (c == 0) {
            c = 53;
        }
        if (i < 78) {
            n = e[i--] << (64 - c);
        }
        else {
            n = 0;
            i--;
        }
        if (c < 5) {
            n |= e[i--] << (11 - c);
            c += 53;
        }
        y = (int)((n >> 59) & 0x1f);
        n <<= 5;
        c -= 5;
        sp_4096_lshift_78(r, norm, (byte)y);
        while ((i >= 0) || (c >= 5)) {
            if (c >= 5) {
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c -= 5;
            }
            else if (c == 0) {
                n = e[i--] << 11;
                y = (byte)((n >> 59) & 0x1f);
                n <<= 5;
                c = 48;
            }
            else {
                y = (byte)((n >> 59) & 0x1f);
                n = e[i--] << 11;
                c = 5 - c;
                y |= (byte)((n >> (64 - c)) & ((1 << c) - 1));
                n <<= c;
                c = 53 - c;
            }

            sp_4096_mont_sqr_78(r, r, m, mp);
            sp_4096_mont_sqr_78(r, r, m, mp);
            sp_4096_mont_sqr_78(r, r, m, mp);
            sp_4096_mont_sqr_78(r, r, m, mp);
            sp_4096_mont_sqr_78(r, r, m, mp);

            sp_4096_lshift_78(r, r, (byte)y);
            sp_4096_mul_d_78(tmp, norm, (r[78] << 38) + (r[77] >> 15));
            r[78] = 0;
            r[77] &= 0x7fffL;
            (void)sp_4096_add_78(r, r, tmp);
            sp_4096_norm_78(r);
            o = sp_4096_cmp_78(r, m);
            sp_4096_cond_sub_78(r, r, m, ~(o >> 63));
        }

        sp_4096_mont_reduce_78(r, m, mp);
        n = sp_4096_cmp_78(r, m);
        sp_4096_cond_sub_78(r, r, m, ~(n >> 63));
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (td != NULL)
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
}

#endif /* HAVE_FFDHE_4096 */

/* Perform the modular exponentiation for Diffie-Hellman.
 *
 * base     Base.
 * exp      Array of bytes that is the exponent.
 * expLen   Length of data, in bytes, in exponent.
 * mod      Modulus.
 * out      Buffer to hold big-endian bytes of exponentiation result.
 *          Must be at least 512 bytes long.
 * outLen   Length, in bytes, of exponentiation result.
 * returns 0 on success, MP_READ_E if there are too many bytes in an array
 * and MEMORY_E if memory allocation fails.
 */
int sp_DhExp_4096(const mp_int* base, const byte* exp, word32 expLen,
    const mp_int* mod, byte* out, word32* outLen)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* b = NULL;
#else
    sp_digit b[78 * 4];
#endif
    sp_digit* e = NULL;
    sp_digit* m = NULL;
    sp_digit* r = NULL;
    word32 i;
    int err = MP_OKAY;

    if (mp_count_bits(base) > 4096) {
        err = MP_READ_E;
    }
    else if (expLen > 512U) {
        err = MP_READ_E;
    }
    else if (mp_count_bits(mod) != 4096) {
        err = MP_READ_E;
    }
    else if (mp_iseven(mod)) {
        err = MP_VAL;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        b = (sp_digit*)XMALLOC(sizeof(sp_digit) * 78 * 4, NULL,
            DYNAMIC_TYPE_DH);
        if (b == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        e = b + 78 * 2;
        m = e + 78;
        r = b;

        sp_4096_from_mp(b, 78, base);
        sp_4096_from_bin(e, 78, exp, expLen);
        sp_4096_from_mp(m, 78, mod);

    #ifdef HAVE_FFDHE_4096
        if (base->used == 1 && base->dp[0] == 2U &&
                ((m[77] << 17) | (m[76] >> 36)) == 0xffffffffL) {
            err = sp_4096_mod_exp_2_78(r, e, expLen * 8U, m);
        }
        else {
    #endif
            err = sp_4096_mod_exp_78(r, b, e, expLen * 8U, m, 0);
    #ifdef HAVE_FFDHE_4096
        }
    #endif
    }

    if (err == MP_OKAY) {
        sp_4096_to_bin_78(r, out);
        *outLen = 512;
        for (i=0; i<512U && out[i] == 0U; i++) {
            /* Search for first non-zero. */
        }
        *outLen -= i;
        XMEMMOVE(out, out + i, *outLen);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (b != NULL)
#endif
    {
        /* only "e" is sensitive and needs zeroized */
        if (e != NULL)
            ForceZero(e, sizeof(sp_digit) * 78U);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(b, NULL, DYNAMIC_TYPE_DH);
    #endif
    }

    return err;
}
#endif /* WOLFSSL_HAVE_SP_DH */

#endif /* WOLFSSL_HAVE_SP_DH | (WOLFSSL_HAVE_SP_RSA & !WOLFSSL_RSA_PUBLIC_ONLY) */

#endif /* WOLFSSL_SP_SMALL */
#endif /* WOLFSSL_SP_4096 */

#endif /* WOLFSSL_HAVE_SP_RSA | WOLFSSL_HAVE_SP_DH */
#ifdef WOLFSSL_HAVE_SP_ECC
#ifndef WOLFSSL_SP_NO_256

/* Point structure to use. */
typedef struct sp_point_256 {
    /* X ordinate of point. */
    sp_digit x[2 * 5];
    /* Y ordinate of point. */
    sp_digit y[2 * 5];
    /* Z ordinate of point. */
    sp_digit z[2 * 5];
    /* Indicates point is at infinity. */
    int infinity;
} sp_point_256;

/* The modulus (prime) of the curve P256. */
static const sp_digit p256_mod[5] = {
    0xfffffffffffffL,0x00fffffffffffL,0x0000000000000L,0x0001000000000L,
    0x0ffffffff0000L
};
/* The Montgomery normalizer for modulus of the curve P256. */
static const sp_digit p256_norm_mod[5] = {
    0x0000000000001L,0xff00000000000L,0xfffffffffffffL,0xfffefffffffffL,
    0x000000000ffffL
};
/* The Montgomery multiplier for modulus of the curve P256. */
static const sp_digit p256_mp_mod = 0x0000000000001;
#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
                                            defined(HAVE_ECC_VERIFY)
/* The order of the curve P256. */
static const sp_digit p256_order[5] = {
    0x9cac2fc632551L,0xada7179e84f3bL,0xfffffffbce6faL,0x0000fffffffffL,
    0x0ffffffff0000L
};
#endif
/* The order of the curve P256 minus 2. */
static const sp_digit p256_order2[5] = {
    0x9cac2fc63254fL,0xada7179e84f3bL,0xfffffffbce6faL,0x0000fffffffffL,
    0x0ffffffff0000L
};
#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
/* The Montgomery normalizer for order of the curve P256. */
static const sp_digit p256_norm_order[5] = {
    0x6353d039cdaafL,0x5258e8617b0c4L,0x0000000431905L,0xffff000000000L,
    0x000000000ffffL
};
#endif
#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
/* The Montgomery multiplier for order of the curve P256. */
static const sp_digit p256_mp_order = 0x1c8aaee00bc4fL;
#endif
/* The base point of curve P256. */
static const sp_point_256 p256_base = {
    /* X ordinate */
    {
        0x13945d898c296L,0x812deb33a0f4aL,0x3a440f277037dL,0x4247f8bce6e56L,
        0x06b17d1f2e12cL,
        (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0
    },
    /* Y ordinate */
    {
        0x6406837bf51f5L,0x576b315ececbbL,0xc0f9e162bce33L,0x7f9b8ee7eb4a7L,
        0x04fe342e2fe1aL,
        (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0
    },
    /* Z ordinate */
    {
        0x0000000000001L,0x0000000000000L,0x0000000000000L,0x0000000000000L,
        0x0000000000000L,
        (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0
    },
    /* infinity */
    0
};
#if defined(HAVE_ECC_CHECK_KEY) || defined(HAVE_COMP_KEY)
static const sp_digit p256_b[5] = {
    0xe3c3e27d2604bL,0xb0cc53b0f63bcL,0x69886bc651d06L,0x93e7b3ebbd557L,
    0x05ac635d8aa3aL
};
#endif

#ifdef WOLFSSL_SP_SMALL
/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_256_mul_5(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    int i;
    int imax;
    int k;
    sp_uint128 c;
    sp_uint128 lo;

    c = ((sp_uint128)a[4]) * b[4];
    r[9] = (sp_digit)(c >> 52);
    c &= 0xfffffffffffffL;
    for (k = 7; k >= 0; k--) {
        if (k >= 5) {
            i = k - 4;
            imax = 4;
        }
        else {
            i = 0;
            imax = k;
        }
        lo = 0;
        for (; i <= imax; i++) {
            lo += ((sp_uint128)a[i]) * b[k - i];
        }
        c += lo >> 52;
        r[k + 2] += (sp_digit)(c >> 52);
        r[k + 1]  = (sp_digit)(c & 0xfffffffffffffL);
        c = lo & 0xfffffffffffffL;
    }
    r[0] = (sp_digit)c;
}

#else
/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_256_mul_5(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    sp_int128 t0   = ((sp_int128)a[ 0]) * b[ 0];
    sp_int128 t1   = ((sp_int128)a[ 0]) * b[ 1]
                 + ((sp_int128)a[ 1]) * b[ 0];
    sp_int128 t2   = ((sp_int128)a[ 0]) * b[ 2]
                 + ((sp_int128)a[ 1]) * b[ 1]
                 + ((sp_int128)a[ 2]) * b[ 0];
    sp_int128 t3   = ((sp_int128)a[ 0]) * b[ 3]
                 + ((sp_int128)a[ 1]) * b[ 2]
                 + ((sp_int128)a[ 2]) * b[ 1]
                 + ((sp_int128)a[ 3]) * b[ 0];
    sp_int128 t4   = ((sp_int128)a[ 0]) * b[ 4]
                 + ((sp_int128)a[ 1]) * b[ 3]
                 + ((sp_int128)a[ 2]) * b[ 2]
                 + ((sp_int128)a[ 3]) * b[ 1]
                 + ((sp_int128)a[ 4]) * b[ 0];
    sp_int128 t5   = ((sp_int128)a[ 1]) * b[ 4]
                 + ((sp_int128)a[ 2]) * b[ 3]
                 + ((sp_int128)a[ 3]) * b[ 2]
                 + ((sp_int128)a[ 4]) * b[ 1];
    sp_int128 t6   = ((sp_int128)a[ 2]) * b[ 4]
                 + ((sp_int128)a[ 3]) * b[ 3]
                 + ((sp_int128)a[ 4]) * b[ 2];
    sp_int128 t7   = ((sp_int128)a[ 3]) * b[ 4]
                 + ((sp_int128)a[ 4]) * b[ 3];
    sp_int128 t8   = ((sp_int128)a[ 4]) * b[ 4];

    t1   += t0  >> 52; r[ 0] = t0  & 0xfffffffffffffL;
    t2   += t1  >> 52; r[ 1] = t1  & 0xfffffffffffffL;
    t3   += t2  >> 52; r[ 2] = t2  & 0xfffffffffffffL;
    t4   += t3  >> 52; r[ 3] = t3  & 0xfffffffffffffL;
    t5   += t4  >> 52; r[ 4] = t4  & 0xfffffffffffffL;
    t6   += t5  >> 52; r[ 5] = t5  & 0xfffffffffffffL;
    t7   += t6  >> 52; r[ 6] = t6  & 0xfffffffffffffL;
    t8   += t7  >> 52; r[ 7] = t7  & 0xfffffffffffffL;
    r[9] = (sp_digit)(t8 >> 52);
                       r[8] = t8 & 0xfffffffffffffL;
}

#endif /* WOLFSSL_SP_SMALL */
#ifdef WOLFSSL_SP_SMALL
/* Square a and put result in r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_256_sqr_5(sp_digit* r, const sp_digit* a)
{
    int i;
    int imax;
    int k;
    sp_uint128 c;
    sp_uint128 t;

    c = ((sp_uint128)a[4]) * a[4];
    r[9] = (sp_digit)(c >> 52);
    c = (c & 0xfffffffffffffL) << 52;
    for (k = 7; k >= 0; k--) {
        i = (k + 1) / 2;
        if ((k & 1) == 0) {
           c += ((sp_uint128)a[i]) * a[i];
           i++;
        }
        if (k < 4) {
            imax = k;
        }
        else {
            imax = 4;
        }
        t = 0;
        for (; i <= imax; i++) {
            t += ((sp_uint128)a[i]) * a[k - i];
        }
        c += t * 2;

        r[k + 2] += (sp_digit) (c >> 104);
        r[k + 1]  = (sp_digit)((c >> 52) & 0xfffffffffffffL);
        c = (c & 0xfffffffffffffL) << 52;
    }
    r[0] = (sp_digit)(c >> 52);
}

#else
/* Square a and put result in r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_256_sqr_5(sp_digit* r, const sp_digit* a)
{
    sp_int128 t0   =  ((sp_int128)a[ 0]) * a[ 0];
    sp_int128 t1   = (((sp_int128)a[ 0]) * a[ 1]) * 2;
    sp_int128 t2   = (((sp_int128)a[ 0]) * a[ 2]) * 2
                 +  ((sp_int128)a[ 1]) * a[ 1];
    sp_int128 t3   = (((sp_int128)a[ 0]) * a[ 3]
                 +  ((sp_int128)a[ 1]) * a[ 2]) * 2;
    sp_int128 t4   = (((sp_int128)a[ 0]) * a[ 4]
                 +  ((sp_int128)a[ 1]) * a[ 3]) * 2
                 +  ((sp_int128)a[ 2]) * a[ 2];
    sp_int128 t5   = (((sp_int128)a[ 1]) * a[ 4]
                 +  ((sp_int128)a[ 2]) * a[ 3]) * 2;
    sp_int128 t6   = (((sp_int128)a[ 2]) * a[ 4]) * 2
                 +  ((sp_int128)a[ 3]) * a[ 3];
    sp_int128 t7   = (((sp_int128)a[ 3]) * a[ 4]) * 2;
    sp_int128 t8   =  ((sp_int128)a[ 4]) * a[ 4];

    t1   += t0  >> 52; r[ 0] = t0  & 0xfffffffffffffL;
    t2   += t1  >> 52; r[ 1] = t1  & 0xfffffffffffffL;
    t3   += t2  >> 52; r[ 2] = t2  & 0xfffffffffffffL;
    t4   += t3  >> 52; r[ 3] = t3  & 0xfffffffffffffL;
    t5   += t4  >> 52; r[ 4] = t4  & 0xfffffffffffffL;
    t6   += t5  >> 52; r[ 5] = t5  & 0xfffffffffffffL;
    t7   += t6  >> 52; r[ 6] = t6  & 0xfffffffffffffL;
    t8   += t7  >> 52; r[ 7] = t7  & 0xfffffffffffffL;
    r[9] = (sp_digit)(t8 >> 52);
                       r[8] = t8 & 0xfffffffffffffL;
}

#endif /* WOLFSSL_SP_SMALL */
#ifdef WOLFSSL_SP_SMALL
/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_256_add_5(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 5; i++) {
        r[i] = a[i] + b[i];
    }

    return 0;
}
#else
/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_256_add_5(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    r[ 0] = a[ 0] + b[ 0];
    r[ 1] = a[ 1] + b[ 1];
    r[ 2] = a[ 2] + b[ 2];
    r[ 3] = a[ 3] + b[ 3];
    r[ 4] = a[ 4] + b[ 4];

    return 0;
}

#endif /* WOLFSSL_SP_SMALL */
#ifdef WOLFSSL_SP_SMALL
/* Sub b from a into r. (r = a - b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_256_sub_5(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 5; i++) {
        r[i] = a[i] - b[i];
    }

    return 0;
}

#else
/* Sub b from a into r. (r = a - b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_256_sub_5(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    r[ 0] = a[ 0] - b[ 0];
    r[ 1] = a[ 1] - b[ 1];
    r[ 2] = a[ 2] - b[ 2];
    r[ 3] = a[ 3] - b[ 3];
    r[ 4] = a[ 4] - b[ 4];

    return 0;
}

#endif /* WOLFSSL_SP_SMALL */
/* Convert an mp_int to an array of sp_digit.
 *
 * r  A single precision integer.
 * size  Maximum number of bytes to convert
 * a  A multi-precision integer.
 */
static void sp_256_from_mp(sp_digit* r, int size, const mp_int* a)
{
#if DIGIT_BIT == 52
    int i;
    sp_digit j = (sp_digit)0 - (sp_digit)a->used;
    int o = 0;

    for (i = 0; i < size; i++) {
        sp_digit mask = (sp_digit)0 - (j >> 51);
        r[i] = a->dp[o] & mask;
        j++;
        o += (int)(j >> 51);
    }
#elif DIGIT_BIT > 52
    unsigned int i;
    int j = 0;
    word32 s = 0;

    r[0] = 0;
    for (i = 0; i < (unsigned int)a->used && j < size; i++) {
        r[j] |= ((sp_digit)a->dp[i] << s);
        r[j] &= 0xfffffffffffffL;
        s = 52U - s;
        if (j + 1 >= size) {
            break;
        }
        /* lint allow cast of mismatch word32 and mp_digit */
        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
        while ((s + 52U) <= (word32)DIGIT_BIT) {
            s += 52U;
            r[j] &= 0xfffffffffffffL;
            if (j + 1 >= size) {
                break;
            }
            if (s < (word32)DIGIT_BIT) {
                /* lint allow cast of mismatch word32 and mp_digit */
                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
            }
            else {
                r[++j] = (sp_digit)0;
            }
        }
        s = (word32)DIGIT_BIT - s;
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
#else
    unsigned int i;
    int j = 0;
    int s = 0;

    r[0] = 0;
    for (i = 0; i < (unsigned int)a->used && j < size; i++) {
        r[j] |= ((sp_digit)a->dp[i]) << s;
        if (s + DIGIT_BIT >= 52) {
            r[j] &= 0xfffffffffffffL;
            if (j + 1 >= size) {
                break;
            }
            s = 52 - s;
            if (s == DIGIT_BIT) {
                r[++j] = 0;
                s = 0;
            }
            else {
                r[++j] = a->dp[i] >> s;
                s = DIGIT_BIT - s;
            }
        }
        else {
            s += DIGIT_BIT;
        }
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
#endif
}

/* Convert a point of type ecc_point to type sp_point_256.
 *
 * p   Point of type sp_point_256 (result).
 * pm  Point of type ecc_point.
 */
static void sp_256_point_from_ecc_point_5(sp_point_256* p,
        const ecc_point* pm)
{
    XMEMSET(p->x, 0, sizeof(p->x));
    XMEMSET(p->y, 0, sizeof(p->y));
    XMEMSET(p->z, 0, sizeof(p->z));
    sp_256_from_mp(p->x, 5, pm->x);
    sp_256_from_mp(p->y, 5, pm->y);
    sp_256_from_mp(p->z, 5, pm->z);
    p->infinity = 0;
}

/* Convert an array of sp_digit to an mp_int.
 *
 * a  A single precision integer.
 * r  A multi-precision integer.
 */
static int sp_256_to_mp(const sp_digit* a, mp_int* r)
{
    int err;

    err = mp_grow(r, (256 + DIGIT_BIT - 1) / DIGIT_BIT);
    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
#if DIGIT_BIT == 52
        XMEMCPY(r->dp, a, sizeof(sp_digit) * 5);
        r->used = 5;
        mp_clamp(r);
#elif DIGIT_BIT < 52
        int i;
        int j = 0;
        int s = 0;

        r->dp[0] = 0;
        for (i = 0; i < 5; i++) {
            r->dp[j] |= (mp_digit)(a[i] << s);
            r->dp[j] &= ((sp_digit)1 << DIGIT_BIT) - 1;
            s = DIGIT_BIT - s;
            r->dp[++j] = (mp_digit)(a[i] >> s);
            while (s + DIGIT_BIT <= 52) {
                s += DIGIT_BIT;
                r->dp[j++] &= ((sp_digit)1 << DIGIT_BIT) - 1;
                if (s == SP_WORD_SIZE) {
                    r->dp[j] = 0;
                }
                else {
                    r->dp[j] = (mp_digit)(a[i] >> s);
                }
            }
            s = 52 - s;
        }
        r->used = (256 + DIGIT_BIT - 1) / DIGIT_BIT;
        mp_clamp(r);
#else
        int i;
        int j = 0;
        int s = 0;

        r->dp[0] = 0;
        for (i = 0; i < 5; i++) {
            r->dp[j] |= ((mp_digit)a[i]) << s;
            if (s + 52 >= DIGIT_BIT) {
    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
                r->dp[j] &= ((sp_digit)1 << DIGIT_BIT) - 1;
    #endif
                s = DIGIT_BIT - s;
                r->dp[++j] = a[i] >> s;
                s = 52 - s;
            }
            else {
                s += 52;
            }
        }
        r->used = (256 + DIGIT_BIT - 1) / DIGIT_BIT;
        mp_clamp(r);
#endif
    }

    return err;
}

/* Convert a point of type sp_point_256 to type ecc_point.
 *
 * p   Point of type sp_point_256.
 * pm  Point of type ecc_point (result).
 * returns MEMORY_E when allocation of memory in ecc_point fails otherwise
 * MP_OKAY.
 */
static int sp_256_point_to_ecc_point_5(const sp_point_256* p, ecc_point* pm)
{
    int err;

    err = sp_256_to_mp(p->x, pm->x);
    if (err == MP_OKAY) {
        err = sp_256_to_mp(p->y, pm->y);
    }
    if (err == MP_OKAY) {
        err = sp_256_to_mp(p->z, pm->z);
    }

    return err;
}

/* Compare a with b in constant time.
 *
 * a  A single precision integer.
 * b  A single precision integer.
 * return -ve, 0 or +ve if a is less than, equal to or greater than b
 * respectively.
 */
static sp_digit sp_256_cmp_5(const sp_digit* a, const sp_digit* b)
{
    sp_digit r = 0;
#ifdef WOLFSSL_SP_SMALL
    int i;

    for (i=4; i>=0; i--) {
        r |= (a[i] - b[i]) & ~(((sp_digit)0 - r) >> 51);
    }
#else
    r |= (a[ 4] - b[ 4]) & (0 - (sp_digit)1);
    r |= (a[ 3] - b[ 3]) & ~(((sp_digit)0 - r) >> 51);
    r |= (a[ 2] - b[ 2]) & ~(((sp_digit)0 - r) >> 51);
    r |= (a[ 1] - b[ 1]) & ~(((sp_digit)0 - r) >> 51);
    r |= (a[ 0] - b[ 0]) & ~(((sp_digit)0 - r) >> 51);
#endif /* WOLFSSL_SP_SMALL */

    return r;
}

/* Conditionally subtract b from a using the mask m.
 * m is -1 to subtract and 0 when not.
 *
 * r  A single precision number representing condition subtract result.
 * a  A single precision number to subtract from.
 * b  A single precision number to subtract.
 * m  Mask value to apply.
 */
static void sp_256_cond_sub_5(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
#ifdef WOLFSSL_SP_SMALL
    int i;

    for (i = 0; i < 5; i++) {
        r[i] = a[i] - (b[i] & m);
    }
#else
    r[ 0] = a[ 0] - (b[ 0] & m);
    r[ 1] = a[ 1] - (b[ 1] & m);
    r[ 2] = a[ 2] - (b[ 2] & m);
    r[ 3] = a[ 3] - (b[ 3] & m);
    r[ 4] = a[ 4] - (b[ 4] & m);
#endif /* WOLFSSL_SP_SMALL */
}

/* Mul a by scalar b and add into r. (r += a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_256_mul_add_5(sp_digit* r, const sp_digit* a,
        const sp_digit b)
{
#ifdef WOLFSSL_SP_SMALL
    sp_int128 tb = b;
    sp_int128 t[4];
    int i;

    t[0] = 0;
    for (i = 0; i < 4; i += 4) {
        t[0] += (tb * a[i+0]) + r[i+0];
        t[1]  = (tb * a[i+1]) + r[i+1];
        t[2]  = (tb * a[i+2]) + r[i+2];
        t[3]  = (tb * a[i+3]) + r[i+3];
        r[i+0] = t[0] & 0xfffffffffffffL;
        t[1] += t[0] >> 52;
        r[i+1] = t[1] & 0xfffffffffffffL;
        t[2] += t[1] >> 52;
        r[i+2] = t[2] & 0xfffffffffffffL;
        t[3] += t[2] >> 52;
        r[i+3] = t[3] & 0xfffffffffffffL;
        t[0]  = t[3] >> 52;
    }
    t[0] += (tb * a[4]) + r[4];
    r[4] = t[0] & 0xfffffffffffffL;
    r[5] +=  (sp_digit)(t[0] >> 52);
#else
    sp_int128 tb = b;
    sp_int128 t[5];

    t[ 0] = tb * a[ 0];
    t[ 1] = tb * a[ 1];
    t[ 2] = tb * a[ 2];
    t[ 3] = tb * a[ 3];
    t[ 4] = tb * a[ 4];
    r[ 0] += (sp_digit)                 (t[ 0] & 0xfffffffffffffL);
    r[ 1] += (sp_digit)((t[ 0] >> 52) + (t[ 1] & 0xfffffffffffffL));
    r[ 2] += (sp_digit)((t[ 1] >> 52) + (t[ 2] & 0xfffffffffffffL));
    r[ 3] += (sp_digit)((t[ 2] >> 52) + (t[ 3] & 0xfffffffffffffL));
    r[ 4] += (sp_digit)((t[ 3] >> 52) + (t[ 4] & 0xfffffffffffffL));
    r[ 5] += (sp_digit) (t[ 4] >> 52);
#endif /* WOLFSSL_SP_SMALL */
}

/* Normalize the values in each word to 52 bits.
 *
 * a  Array of sp_digit to normalize.
 */
static void sp_256_norm_5(sp_digit* a)
{
#ifdef WOLFSSL_SP_SMALL
    int i;
    for (i = 0; i < 4; i++) {
        a[i+1] += a[i] >> 52;
        a[i] &= 0xfffffffffffffL;
    }
#else
    a[1] += a[0] >> 52; a[0] &= 0xfffffffffffffL;
    a[2] += a[1] >> 52; a[1] &= 0xfffffffffffffL;
    a[3] += a[2] >> 52; a[2] &= 0xfffffffffffffL;
    a[4] += a[3] >> 52; a[3] &= 0xfffffffffffffL;
#endif /* WOLFSSL_SP_SMALL */
}

/* Shift the result in the high 256 bits down to the bottom.
 *
 * r  A single precision number.
 * a  A single precision number.
 */
static void sp_256_mont_shift_5(sp_digit* r, const sp_digit* a)
{
#ifdef WOLFSSL_SP_SMALL
    int i;
    sp_uint64 n;

    n = a[4] >> 48;
    for (i = 0; i < 4; i++) {
        n += (sp_uint64)a[5 + i] << 4;
        r[i] = n & 0xfffffffffffffL;
        n >>= 52;
    }
    n += (sp_uint64)a[9] << 4;
    r[4] = n;
#else
    sp_uint64 n;

    n  = a[4] >> 48;
    n += (sp_uint64)a[ 5] << 4U; r[ 0] = n & 0xfffffffffffffUL; n >>= 52U;
    n += (sp_uint64)a[ 6] << 4U; r[ 1] = n & 0xfffffffffffffUL; n >>= 52U;
    n += (sp_uint64)a[ 7] << 4U; r[ 2] = n & 0xfffffffffffffUL; n >>= 52U;
    n += (sp_uint64)a[ 8] << 4U; r[ 3] = n & 0xfffffffffffffUL; n >>= 52U;
    n += (sp_uint64)a[ 9] << 4U; r[ 4] = n;
#endif /* WOLFSSL_SP_SMALL */
    XMEMSET(&r[5], 0, sizeof(*r) * 5U);
}

/* Reduce the number back to 256 bits using Montgomery reduction.
 *
 * a   A single precision number to reduce in place.
 * m   The single precision number representing the modulus.
 * mp  The digit representing the negative inverse of m mod 2^n.
 */
static void sp_256_mont_reduce_order_5(sp_digit* a, const sp_digit* m, sp_digit mp)
{
    int i;
    sp_digit mu;
    sp_digit over;

    sp_256_norm_5(a + 5);

    for (i=0; i<4; i++) {
        mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0xfffffffffffffL;
        sp_256_mul_add_5(a+i, m, mu);
        a[i+1] += a[i] >> 52;
    }
    mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0xffffffffffffL;
    sp_256_mul_add_5(a+i, m, mu);
    a[i+1] += a[i] >> 52;
    a[i] &= 0xfffffffffffffL;
    sp_256_mont_shift_5(a, a);
    over = a[4] >> 48;
    sp_256_cond_sub_5(a, a, m, ~((over - 1) >> 63));
    sp_256_norm_5(a);
}

/* Reduce the number back to 256 bits using Montgomery reduction.
 *
 * a   A single precision number to reduce in place.
 * m   The single precision number representing the modulus.
 * mp  The digit representing the negative inverse of m mod 2^n.
 */
static void sp_256_mont_reduce_5(sp_digit* a, const sp_digit* m, sp_digit mp)
{
    int i;
    sp_int128 t;
    sp_digit am;

    (void)m;
    (void)mp;

    for (i = 0; i < 4; i++) {
        am = a[i] & 0xfffffffffffffL;
        /* Fifth word of modulus word */
        t = am; t *= 0x0ffffffff0000L;

        a[i + 1] += (am << 44) & 0xfffffffffffffL;
        a[i + 2] += am >> 8;
        a[i + 3] += (am << 36) & 0xfffffffffffffL;
        a[i + 4] += (am >> 16) + (t & 0xfffffffffffffL);
        a[i + 5] +=  t >> 52;

        a[i + 1] += a[i] >> 52;
    }
    am = a[4] & 0xffffffffffff;
    /* Fifth word of modulus word */
    t = am; t *= 0x0ffffffff0000L;

    a[4 + 1] += (am << 44) & 0xfffffffffffffL;
    a[4 + 2] += am >> 8;
    a[4 + 3] += (am << 36) & 0xfffffffffffffL;
    a[4 + 4] += (am >> 16) + (t & 0xfffffffffffffL);
    a[4 + 5] +=  t >> 52;

    a[0] = (a[4] >> 48) + ((a[5] << 4) & 0xfffffffffffffL);
    a[1] = (a[5] >> 48) + ((a[6] << 4) & 0xfffffffffffffL);
    a[2] = (a[6] >> 48) + ((a[7] << 4) & 0xfffffffffffffL);
    a[3] = (a[7] >> 48) + ((a[8] << 4) & 0xfffffffffffffL);
    a[4] = (a[8] >> 48) +  (a[9] << 4);

    a[1] += a[0] >> 52; a[0] &= 0xfffffffffffffL;
    a[2] += a[1] >> 52; a[1] &= 0xfffffffffffffL;
    a[3] += a[2] >> 52; a[2] &= 0xfffffffffffffL;
    a[4] += a[3] >> 52; a[3] &= 0xfffffffffffffL;

    /* Get the bit over, if any. */
    am = a[4] >> 48;
    /* Create mask. */
    am = 0 - am;

    a[0] -= 0x000fffffffffffffL & am;
    a[1] -= 0x00000fffffffffffL & am;
    /* p256_mod[2] is zero */
    a[3] -= 0x0000001000000000L & am;
    a[4] -= 0x0000ffffffff0000L & am;

    a[1] += a[0] >> 52; a[0] &= 0xfffffffffffffL;
    a[2] += a[1] >> 52; a[1] &= 0xfffffffffffffL;
    a[3] += a[2] >> 52; a[2] &= 0xfffffffffffffL;
    a[4] += a[3] >> 52; a[3] &= 0xfffffffffffffL;
}

/* Multiply two Montgomery form numbers mod the modulus (prime).
 * (r = a * b mod m)
 *
 * r   Result of multiplication.
 * a   First number to multiply in Montgomery form.
 * b   Second number to multiply in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_256_mont_mul_5(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit* m, sp_digit mp)
{
    sp_256_mul_5(r, a, b);
    sp_256_mont_reduce_5(r, m, mp);
}

/* Square the Montgomery form number. (r = a * a mod m)
 *
 * r   Result of squaring.
 * a   Number to square in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_256_mont_sqr_5(sp_digit* r, const sp_digit* a,
        const sp_digit* m, sp_digit mp)
{
    sp_256_sqr_5(r, a);
    sp_256_mont_reduce_5(r, m, mp);
}

#if !defined(WOLFSSL_SP_SMALL) || defined(HAVE_COMP_KEY)
/* Square the Montgomery form number a number of times. (r = a ^ n mod m)
 *
 * r   Result of squaring.
 * a   Number to square in Montgomery form.
 * n   Number of times to square.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_256_mont_sqr_n_5(sp_digit* r,
    const sp_digit* a, int n, const sp_digit* m, sp_digit mp)
{
    sp_256_mont_sqr_5(r, a, m, mp);
    for (; n > 1; n--) {
        sp_256_mont_sqr_5(r, r, m, mp);
    }
}

#endif /* !WOLFSSL_SP_SMALL || HAVE_COMP_KEY */
#ifdef WOLFSSL_SP_SMALL
/* Mod-2 for the P256 curve. */
static const uint64_t p256_mod_minus_2[4] = {
    0xfffffffffffffffdU,0x00000000ffffffffU,0x0000000000000000U,
    0xffffffff00000001U
};
#endif /* !WOLFSSL_SP_SMALL */

/* Invert the number, in Montgomery form, modulo the modulus (prime) of the
 * P256 curve. (r = 1 / a mod m)
 *
 * r   Inverse result.
 * a   Number to invert.
 * td  Temporary data.
 */
static void sp_256_mont_inv_5(sp_digit* r, const sp_digit* a, sp_digit* td)
{
#ifdef WOLFSSL_SP_SMALL
    sp_digit* t = td;
    int i;

    XMEMCPY(t, a, sizeof(sp_digit) * 5);
    for (i=254; i>=0; i--) {
        sp_256_mont_sqr_5(t, t, p256_mod, p256_mp_mod);
        if (p256_mod_minus_2[i / 64] & ((sp_digit)1 << (i % 64)))
            sp_256_mont_mul_5(t, t, a, p256_mod, p256_mp_mod);
    }
    XMEMCPY(r, t, sizeof(sp_digit) * 5);
#else
    sp_digit* t1 = td;
    sp_digit* t2 = td + 2 * 5;
    sp_digit* t3 = td + 4 * 5;
    /* 0x2 */
    sp_256_mont_sqr_5(t1, a, p256_mod, p256_mp_mod);
    /* 0x3 */
    sp_256_mont_mul_5(t2, t1, a, p256_mod, p256_mp_mod);
    /* 0xc */
    sp_256_mont_sqr_n_5(t1, t2, 2, p256_mod, p256_mp_mod);
    /* 0xd */
    sp_256_mont_mul_5(t3, t1, a, p256_mod, p256_mp_mod);
    /* 0xf */
    sp_256_mont_mul_5(t2, t2, t1, p256_mod, p256_mp_mod);
    /* 0xf0 */
    sp_256_mont_sqr_n_5(t1, t2, 4, p256_mod, p256_mp_mod);
    /* 0xfd */
    sp_256_mont_mul_5(t3, t3, t1, p256_mod, p256_mp_mod);
    /* 0xff */
    sp_256_mont_mul_5(t2, t2, t1, p256_mod, p256_mp_mod);
    /* 0xff00 */
    sp_256_mont_sqr_n_5(t1, t2, 8, p256_mod, p256_mp_mod);
    /* 0xfffd */
    sp_256_mont_mul_5(t3, t3, t1, p256_mod, p256_mp_mod);
    /* 0xffff */
    sp_256_mont_mul_5(t2, t2, t1, p256_mod, p256_mp_mod);
    /* 0xffff0000 */
    sp_256_mont_sqr_n_5(t1, t2, 16, p256_mod, p256_mp_mod);
    /* 0xfffffffd */
    sp_256_mont_mul_5(t3, t3, t1, p256_mod, p256_mp_mod);
    /* 0xffffffff */
    sp_256_mont_mul_5(t2, t2, t1, p256_mod, p256_mp_mod);
    /* 0xffffffff00000000 */
    sp_256_mont_sqr_n_5(t1, t2, 32, p256_mod, p256_mp_mod);
    /* 0xffffffffffffffff */
    sp_256_mont_mul_5(t2, t2, t1, p256_mod, p256_mp_mod);
    /* 0xffffffff00000001 */
    sp_256_mont_mul_5(r, t1, a, p256_mod, p256_mp_mod);
    /* 0xffffffff000000010000000000000000000000000000000000000000 */
    sp_256_mont_sqr_n_5(r, r, 160, p256_mod, p256_mp_mod);
    /* 0xffffffff00000001000000000000000000000000ffffffffffffffff */
    sp_256_mont_mul_5(r, r, t2, p256_mod, p256_mp_mod);
    /* 0xffffffff00000001000000000000000000000000ffffffffffffffff00000000 */
    sp_256_mont_sqr_n_5(r, r, 32, p256_mod, p256_mp_mod);
    /* 0xffffffff00000001000000000000000000000000fffffffffffffffffffffffd */
    sp_256_mont_mul_5(r, r, t3, p256_mod, p256_mp_mod);
#endif /* WOLFSSL_SP_SMALL */
}

/* Map the Montgomery form projective coordinate point to an affine point.
 *
 * r  Resulting affine coordinate point.
 * p  Montgomery form projective coordinate point.
 * t  Temporary ordinate data.
 */
static void sp_256_map_5(sp_point_256* r, const sp_point_256* p,
    sp_digit* t)
{
    sp_digit* t1 = t;
    sp_digit* t2 = t + 2*5;
    sp_int64 n;

    sp_256_mont_inv_5(t1, p->z, t + 2*5);

    sp_256_mont_sqr_5(t2, t1, p256_mod, p256_mp_mod);
    sp_256_mont_mul_5(t1, t2, t1, p256_mod, p256_mp_mod);

    /* x /= z^2 */
    sp_256_mont_mul_5(r->x, p->x, t2, p256_mod, p256_mp_mod);
    XMEMSET(r->x + 5, 0, sizeof(sp_digit) * 5U);
    sp_256_mont_reduce_5(r->x, p256_mod, p256_mp_mod);
    /* Reduce x to less than modulus */
    n = sp_256_cmp_5(r->x, p256_mod);
    sp_256_cond_sub_5(r->x, r->x, p256_mod, ~(n >> 51));
    sp_256_norm_5(r->x);

    /* y /= z^3 */
    sp_256_mont_mul_5(r->y, p->y, t1, p256_mod, p256_mp_mod);
    XMEMSET(r->y + 5, 0, sizeof(sp_digit) * 5U);
    sp_256_mont_reduce_5(r->y, p256_mod, p256_mp_mod);
    /* Reduce y to less than modulus */
    n = sp_256_cmp_5(r->y, p256_mod);
    sp_256_cond_sub_5(r->y, r->y, p256_mod, ~(n >> 51));
    sp_256_norm_5(r->y);

    XMEMSET(r->z, 0, sizeof(r->z) / 2);
    r->z[0] = 1;
}

/* Add two Montgomery form numbers (r = a + b % m).
 *
 * r   Result of addition.
 * a   First number to add in Montgomery form.
 * b   Second number to add in Montgomery form.
 * m   Modulus (prime).
 */
static void sp_256_mont_add_5(sp_digit* r, const sp_digit* a, const sp_digit* b,
        const sp_digit* m)
{
    sp_digit over;
    (void)sp_256_add_5(r, a, b);
    sp_256_norm_5(r);
    over = r[4] >> 48;
    sp_256_cond_sub_5(r, r, m, ~((over - 1) >> 63));
    sp_256_norm_5(r);
}

/* Double a Montgomery form number (r = a + a % m).
 *
 * r   Result of doubling.
 * a   Number to double in Montgomery form.
 * m   Modulus (prime).
 */
static void sp_256_mont_dbl_5(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    sp_digit over;
    (void)sp_256_add_5(r, a, a);
    sp_256_norm_5(r);
    over = r[4] >> 48;
    sp_256_cond_sub_5(r, r, m, ~((over - 1) >> 63));
    sp_256_norm_5(r);
}

/* Triple a Montgomery form number (r = a + a + a % m).
 *
 * r   Result of Tripling.
 * a   Number to triple in Montgomery form.
 * m   Modulus (prime).
 */
static void sp_256_mont_tpl_5(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    sp_digit over;
    (void)sp_256_add_5(r, a, a);
    sp_256_norm_5(r);
    over = r[4] >> 48;
    sp_256_cond_sub_5(r, r, m, ~((over - 1) >> 63));
    sp_256_norm_5(r);
    (void)sp_256_add_5(r, r, a);
    sp_256_norm_5(r);
    over = r[4] >> 48;
    sp_256_cond_sub_5(r, r, m, ~((over - 1) >> 63));
    sp_256_norm_5(r);
}

#ifdef WOLFSSL_SP_SMALL
/* Conditionally add a and b using the mask m.
 * m is -1 to add and 0 when not.
 *
 * r  A single precision number representing conditional add result.
 * a  A single precision number to add with.
 * b  A single precision number to add.
 * m  Mask value to apply.
 */
static void sp_256_cond_add_5(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 5; i++) {
        r[i] = a[i] + (b[i] & m);
    }
}
#endif /* WOLFSSL_SP_SMALL */

#ifndef WOLFSSL_SP_SMALL
/* Conditionally add a and b using the mask m.
 * m is -1 to add and 0 when not.
 *
 * r  A single precision number representing conditional add result.
 * a  A single precision number to add with.
 * b  A single precision number to add.
 * m  Mask value to apply.
 */
static void sp_256_cond_add_5(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    r[ 0] = a[ 0] + (b[ 0] & m);
    r[ 1] = a[ 1] + (b[ 1] & m);
    r[ 2] = a[ 2] + (b[ 2] & m);
    r[ 3] = a[ 3] + (b[ 3] & m);
    r[ 4] = a[ 4] + (b[ 4] & m);
}
#endif /* !WOLFSSL_SP_SMALL */

/* Subtract two Montgomery form numbers (r = a - b % m).
 *
 * r   Result of subtration.
 * a   Number to subtract from in Montgomery form.
 * b   Number to subtract with in Montgomery form.
 * m   Modulus (prime).
 */
static void sp_256_mont_sub_5(sp_digit* r, const sp_digit* a, const sp_digit* b,
        const sp_digit* m)
{
    (void)sp_256_sub_5(r, a, b);
    sp_256_norm_5(r);
    sp_256_cond_add_5(r, r, m, r[4] >> 48);
    sp_256_norm_5(r);
}

/* Shift number left one bit.
 * Bottom bit is lost.
 *
 * r  Result of shift.
 * a  Number to shift.
 */
SP_NOINLINE static void sp_256_rshift1_5(sp_digit* r, const sp_digit* a)
{
#ifdef WOLFSSL_SP_SMALL
    int i;

    for (i=0; i<4; i++) {
        r[i] = (a[i] >> 1) + ((a[i + 1] << 51) & 0xfffffffffffffL);
    }
#else
    r[0] = (a[0] >> 1) + ((a[1] << 51) & 0xfffffffffffffL);
    r[1] = (a[1] >> 1) + ((a[2] << 51) & 0xfffffffffffffL);
    r[2] = (a[2] >> 1) + ((a[3] << 51) & 0xfffffffffffffL);
    r[3] = (a[3] >> 1) + ((a[4] << 51) & 0xfffffffffffffL);
#endif
    r[4] = a[4] >> 1;
}

/* Divide the number by 2 mod the modulus (prime). (r = a / 2 % m)
 *
 * r  Result of division by 2.
 * a  Number to divide.
 * m  Modulus (prime).
 */
static void sp_256_mont_div2_5(sp_digit* r, const sp_digit* a,
        const sp_digit* m)
{
    sp_256_cond_add_5(r, a, m, 0 - (a[0] & 1));
    sp_256_norm_5(r);
    sp_256_rshift1_5(r, r);
}

/* Double the Montgomery form projective point p.
 *
 * r  Result of doubling point.
 * p  Point to double.
 * t  Temporary ordinate data.
 */
static void sp_256_proj_point_dbl_5(sp_point_256* r, const sp_point_256* p,
    sp_digit* t)
{
    sp_digit* t1 = t;
    sp_digit* t2 = t + 2*5;
    sp_digit* x;
    sp_digit* y;
    sp_digit* z;

    x = r->x;
    y = r->y;
    z = r->z;
    /* Put infinity into result. */
    if (r != p) {
        r->infinity = p->infinity;
    }

    /* T1 = Z * Z */
    sp_256_mont_sqr_5(t1, p->z, p256_mod, p256_mp_mod);
    /* Z = Y * Z */
    sp_256_mont_mul_5(z, p->y, p->z, p256_mod, p256_mp_mod);
    /* Z = 2Z */
    sp_256_mont_dbl_5(z, z, p256_mod);
    /* T2 = X - T1 */
    sp_256_mont_sub_5(t2, p->x, t1, p256_mod);
    /* T1 = X + T1 */
    sp_256_mont_add_5(t1, p->x, t1, p256_mod);
    /* T2 = T1 * T2 */
    sp_256_mont_mul_5(t2, t1, t2, p256_mod, p256_mp_mod);
    /* T1 = 3T2 */
    sp_256_mont_tpl_5(t1, t2, p256_mod);
    /* Y = 2Y */
    sp_256_mont_dbl_5(y, p->y, p256_mod);
    /* Y = Y * Y */
    sp_256_mont_sqr_5(y, y, p256_mod, p256_mp_mod);
    /* T2 = Y * Y */
    sp_256_mont_sqr_5(t2, y, p256_mod, p256_mp_mod);
    /* T2 = T2/2 */
    sp_256_mont_div2_5(t2, t2, p256_mod);
    /* Y = Y * X */
    sp_256_mont_mul_5(y, y, p->x, p256_mod, p256_mp_mod);
    /* X = T1 * T1 */
    sp_256_mont_sqr_5(x, t1, p256_mod, p256_mp_mod);
    /* X = X - Y */
    sp_256_mont_sub_5(x, x, y, p256_mod);
    /* X = X - Y */
    sp_256_mont_sub_5(x, x, y, p256_mod);
    /* Y = Y - X */
    sp_256_mont_sub_5(y, y, x, p256_mod);
    /* Y = Y * T1 */
    sp_256_mont_mul_5(y, y, t1, p256_mod, p256_mp_mod);
    /* Y = Y - T2 */
    sp_256_mont_sub_5(y, y, t2, p256_mod);
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_256_proj_point_dbl_5_ctx {
    int state;
    sp_digit* t1;
    sp_digit* t2;
    sp_digit* x;
    sp_digit* y;
    sp_digit* z;
} sp_256_proj_point_dbl_5_ctx;

/* Double the Montgomery form projective point p.
 *
 * r  Result of doubling point.
 * p  Point to double.
 * t  Temporary ordinate data.
 */
static int sp_256_proj_point_dbl_5_nb(sp_ecc_ctx_t* sp_ctx, sp_point_256* r,
        const sp_point_256* p, sp_digit* t)
{
    int err = FP_WOULDBLOCK;
    sp_256_proj_point_dbl_5_ctx* ctx = (sp_256_proj_point_dbl_5_ctx*)sp_ctx->data;

    typedef char ctx_size_test[sizeof(sp_256_proj_point_dbl_5_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    switch (ctx->state) {
    case 0:
        ctx->t1 = t;
        ctx->t2 = t + 2*5;
        ctx->x = r->x;
        ctx->y = r->y;
        ctx->z = r->z;

        /* Put infinity into result. */
        if (r != p) {
            r->infinity = p->infinity;
        }
        ctx->state = 1;
        break;
    case 1:
        /* T1 = Z * Z */
        sp_256_mont_sqr_5(ctx->t1, p->z, p256_mod, p256_mp_mod);
        ctx->state = 2;
        break;
    case 2:
        /* Z = Y * Z */
        sp_256_mont_mul_5(ctx->z, p->y, p->z, p256_mod, p256_mp_mod);
        ctx->state = 3;
        break;
    case 3:
        /* Z = 2Z */
        sp_256_mont_dbl_5(ctx->z, ctx->z, p256_mod);
        ctx->state = 4;
        break;
    case 4:
        /* T2 = X - T1 */
        sp_256_mont_sub_5(ctx->t2, p->x, ctx->t1, p256_mod);
        ctx->state = 5;
        break;
    case 5:
        /* T1 = X + T1 */
        sp_256_mont_add_5(ctx->t1, p->x, ctx->t1, p256_mod);
        ctx->state = 6;
        break;
    case 6:
        /* T2 = T1 * T2 */
        sp_256_mont_mul_5(ctx->t2, ctx->t1, ctx->t2, p256_mod, p256_mp_mod);
        ctx->state = 7;
        break;
    case 7:
        /* T1 = 3T2 */
        sp_256_mont_tpl_5(ctx->t1, ctx->t2, p256_mod);
        ctx->state = 8;
        break;
    case 8:
        /* Y = 2Y */
        sp_256_mont_dbl_5(ctx->y, p->y, p256_mod);
        ctx->state = 9;
        break;
    case 9:
        /* Y = Y * Y */
        sp_256_mont_sqr_5(ctx->y, ctx->y, p256_mod, p256_mp_mod);
        ctx->state = 10;
        break;
    case 10:
        /* T2 = Y * Y */
        sp_256_mont_sqr_5(ctx->t2, ctx->y, p256_mod, p256_mp_mod);
        ctx->state = 11;
        break;
    case 11:
        /* T2 = T2/2 */
        sp_256_mont_div2_5(ctx->t2, ctx->t2, p256_mod);
        ctx->state = 12;
        break;
    case 12:
        /* Y = Y * X */
        sp_256_mont_mul_5(ctx->y, ctx->y, p->x, p256_mod, p256_mp_mod);
        ctx->state = 13;
        break;
    case 13:
        /* X = T1 * T1 */
        sp_256_mont_sqr_5(ctx->x, ctx->t1, p256_mod, p256_mp_mod);
        ctx->state = 14;
        break;
    case 14:
        /* X = X - Y */
        sp_256_mont_sub_5(ctx->x, ctx->x, ctx->y, p256_mod);
        ctx->state = 15;
        break;
    case 15:
        /* X = X - Y */
        sp_256_mont_sub_5(ctx->x, ctx->x, ctx->y, p256_mod);
        ctx->state = 16;
        break;
    case 16:
        /* Y = Y - X */
        sp_256_mont_sub_5(ctx->y, ctx->y, ctx->x, p256_mod);
        ctx->state = 17;
        break;
    case 17:
        /* Y = Y * T1 */
        sp_256_mont_mul_5(ctx->y, ctx->y, ctx->t1, p256_mod, p256_mp_mod);
        ctx->state = 18;
        break;
    case 18:
        /* Y = Y - T2 */
        sp_256_mont_sub_5(ctx->y, ctx->y, ctx->t2, p256_mod);
        ctx->state = 19;
        /* fall-through */
    case 19:
        err = MP_OKAY;
        break;
    }

    if (err == MP_OKAY && ctx->state != 19) {
        err = FP_WOULDBLOCK;
    }

    return err;
}
#endif /* WOLFSSL_SP_NONBLOCK */
/* Compare two numbers to determine if they are equal.
 * Constant time implementation.
 *
 * a  First number to compare.
 * b  Second number to compare.
 * returns 1 when equal and 0 otherwise.
 */
static int sp_256_cmp_equal_5(const sp_digit* a, const sp_digit* b)
{
    return ((a[0] ^ b[0]) | (a[1] ^ b[1]) | (a[2] ^ b[2]) |
            (a[3] ^ b[3]) | (a[4] ^ b[4])) == 0;
}

/* Returns 1 if the number of zero.
 * Implementation is constant time.
 *
 * a  Number to check.
 * returns 1 if the number is zero and 0 otherwise.
 */
static int sp_256_iszero_5(const sp_digit* a)
{
    return (a[0] | a[1] | a[2] | a[3] | a[4]) == 0;
}


/* Add two Montgomery form projective points.
 *
 * r  Result of addition.
 * p  First point to add.
 * q  Second point to add.
 * t  Temporary ordinate data.
 */
static void sp_256_proj_point_add_5(sp_point_256* r,
        const sp_point_256* p, const sp_point_256* q, sp_digit* t)
{
    sp_digit* t6 = t;
    sp_digit* t1 = t + 2*5;
    sp_digit* t2 = t + 4*5;
    sp_digit* t3 = t + 6*5;
    sp_digit* t4 = t + 8*5;
    sp_digit* t5 = t + 10*5;

    /* U1 = X1*Z2^2 */
    sp_256_mont_sqr_5(t1, q->z, p256_mod, p256_mp_mod);
    sp_256_mont_mul_5(t3, t1, q->z, p256_mod, p256_mp_mod);
    sp_256_mont_mul_5(t1, t1, p->x, p256_mod, p256_mp_mod);
    /* U2 = X2*Z1^2 */
    sp_256_mont_sqr_5(t2, p->z, p256_mod, p256_mp_mod);
    sp_256_mont_mul_5(t4, t2, p->z, p256_mod, p256_mp_mod);
    sp_256_mont_mul_5(t2, t2, q->x, p256_mod, p256_mp_mod);
    /* S1 = Y1*Z2^3 */
    sp_256_mont_mul_5(t3, t3, p->y, p256_mod, p256_mp_mod);
    /* S2 = Y2*Z1^3 */
    sp_256_mont_mul_5(t4, t4, q->y, p256_mod, p256_mp_mod);

    /* Check double */
    if ((~p->infinity) & (~q->infinity) &
            sp_256_cmp_equal_5(t2, t1) &
            sp_256_cmp_equal_5(t4, t3)) {
        sp_256_proj_point_dbl_5(r, p, t);
    }
    else {
        sp_digit* x = t6;
        sp_digit* y = t1;
        sp_digit* z = t2;

        /* H = U2 - U1 */
        sp_256_mont_sub_5(t2, t2, t1, p256_mod);
        /* R = S2 - S1 */
        sp_256_mont_sub_5(t4, t4, t3, p256_mod);
        /* X3 = R^2 - H^3 - 2*U1*H^2 */
        sp_256_mont_sqr_5(t5, t2, p256_mod, p256_mp_mod);
        sp_256_mont_mul_5(y, t1, t5, p256_mod, p256_mp_mod);
        sp_256_mont_mul_5(t5, t5, t2, p256_mod, p256_mp_mod);
        /* Z3 = H*Z1*Z2 */
        sp_256_mont_mul_5(z, p->z, t2, p256_mod, p256_mp_mod);
        sp_256_mont_mul_5(z, z, q->z, p256_mod, p256_mp_mod);
        sp_256_mont_sqr_5(x, t4, p256_mod, p256_mp_mod);
        sp_256_mont_sub_5(x, x, t5, p256_mod);
        sp_256_mont_mul_5(t5, t5, t3, p256_mod, p256_mp_mod);
        sp_256_mont_dbl_5(t3, y, p256_mod);
        sp_256_mont_sub_5(x, x, t3, p256_mod);
        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
        sp_256_mont_sub_5(y, y, x, p256_mod);
        sp_256_mont_mul_5(y, y, t4, p256_mod, p256_mp_mod);
        sp_256_mont_sub_5(y, y, t5, p256_mod);
        {
            int i;
            sp_digit maskp = 0 - (q->infinity & (!p->infinity));
            sp_digit maskq = 0 - (p->infinity & (!q->infinity));
            sp_digit maskt = ~(maskp | maskq);
            sp_digit inf = (sp_digit)(p->infinity & q->infinity);

            for (i = 0; i < 5; i++) {
                r->x[i] = (p->x[i] & maskp) | (q->x[i] & maskq) |
                          (x[i] & maskt);
            }
            for (i = 0; i < 5; i++) {
                r->y[i] = (p->y[i] & maskp) | (q->y[i] & maskq) |
                          (y[i] & maskt);
            }
            for (i = 0; i < 5; i++) {
                r->z[i] = (p->z[i] & maskp) | (q->z[i] & maskq) |
                          (z[i] & maskt);
            }
            r->z[0] |= inf;
            r->infinity = (word32)inf;
        }
    }
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_256_proj_point_add_5_ctx {
    int state;
    sp_256_proj_point_dbl_5_ctx dbl_ctx;
    const sp_point_256* ap[2];
    sp_point_256* rp[2];
    sp_digit* t1;
    sp_digit* t2;
    sp_digit* t3;
    sp_digit* t4;
    sp_digit* t5;
    sp_digit* t6;
    sp_digit* x;
    sp_digit* y;
    sp_digit* z;
} sp_256_proj_point_add_5_ctx;

/* Add two Montgomery form projective points.
 *
 * r  Result of addition.
 * p  First point to add.
 * q  Second point to add.
 * t  Temporary ordinate data.
 */
static int sp_256_proj_point_add_5_nb(sp_ecc_ctx_t* sp_ctx, sp_point_256* r,
    const sp_point_256* p, const sp_point_256* q, sp_digit* t)
{
    int err = FP_WOULDBLOCK;
    sp_256_proj_point_add_5_ctx* ctx = (sp_256_proj_point_add_5_ctx*)sp_ctx->data;

    /* Ensure only the first point is the same as the result. */
    if (q == r) {
        const sp_point_256* a = p;
        p = q;
        q = a;
    }

    typedef char ctx_size_test[sizeof(sp_256_proj_point_add_5_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    switch (ctx->state) {
    case 0: /* INIT */
        ctx->t6 = t;
        ctx->t1 = t + 2*5;
        ctx->t2 = t + 4*5;
        ctx->t3 = t + 6*5;
        ctx->t4 = t + 8*5;
        ctx->t5 = t + 10*5;
        ctx->x = ctx->t6;
        ctx->y = ctx->t1;
        ctx->z = ctx->t2;

        ctx->state = 1;
        break;
    case 1:
        /* U1 = X1*Z2^2 */
        sp_256_mont_sqr_5(ctx->t1, q->z, p256_mod, p256_mp_mod);
        ctx->state = 2;
        break;
    case 2:
        sp_256_mont_mul_5(ctx->t3, ctx->t1, q->z, p256_mod, p256_mp_mod);
        ctx->state = 3;
        break;
    case 3:
        sp_256_mont_mul_5(ctx->t1, ctx->t1, p->x, p256_mod, p256_mp_mod);
        ctx->state = 4;
        break;
    case 4:
        /* U2 = X2*Z1^2 */
        sp_256_mont_sqr_5(ctx->t2, p->z, p256_mod, p256_mp_mod);
        ctx->state = 5;
        break;
    case 5:
        sp_256_mont_mul_5(ctx->t4, ctx->t2, p->z, p256_mod, p256_mp_mod);
        ctx->state = 6;
        break;
    case 6:
        sp_256_mont_mul_5(ctx->t2, ctx->t2, q->x, p256_mod, p256_mp_mod);
        ctx->state = 7;
        break;
    case 7:
        /* S1 = Y1*Z2^3 */
        sp_256_mont_mul_5(ctx->t3, ctx->t3, p->y, p256_mod, p256_mp_mod);
        ctx->state = 8;
        break;
    case 8:
        /* S2 = Y2*Z1^3 */
        sp_256_mont_mul_5(ctx->t4, ctx->t4, q->y, p256_mod, p256_mp_mod);
        ctx->state = 9;
        break;
    case 9:
        /* Check double */
        if ((~p->infinity) & (~q->infinity) &
                sp_256_cmp_equal_5(ctx->t2, ctx->t1) &
                sp_256_cmp_equal_5(ctx->t4, ctx->t3)) {
            XMEMSET(&ctx->dbl_ctx, 0, sizeof(ctx->dbl_ctx));
            sp_256_proj_point_dbl_5(r, p, t);
            ctx->state = 25;
        }
        else {
            ctx->state = 10;
        }
        break;
    case 10:
        /* H = U2 - U1 */
        sp_256_mont_sub_5(ctx->t2, ctx->t2, ctx->t1, p256_mod);
        ctx->state = 11;
        break;
    case 11:
        /* R = S2 - S1 */
        sp_256_mont_sub_5(ctx->t4, ctx->t4, ctx->t3, p256_mod);
        ctx->state = 12;
        break;
    case 12:
        /* X3 = R^2 - H^3 - 2*U1*H^2 */
        sp_256_mont_sqr_5(ctx->t5, ctx->t2, p256_mod, p256_mp_mod);
        ctx->state = 13;
        break;
    case 13:
        sp_256_mont_mul_5(ctx->y, ctx->t1, ctx->t5, p256_mod, p256_mp_mod);
        ctx->state = 14;
        break;
    case 14:
        sp_256_mont_mul_5(ctx->t5, ctx->t5, ctx->t2, p256_mod, p256_mp_mod);
        ctx->state = 15;
        break;
    case 15:
        /* Z3 = H*Z1*Z2 */
        sp_256_mont_mul_5(ctx->z, p->z, ctx->t2, p256_mod, p256_mp_mod);
        ctx->state = 16;
        break;
    case 16:
        sp_256_mont_mul_5(ctx->z, ctx->z, q->z, p256_mod, p256_mp_mod);
        ctx->state = 17;
        break;
    case 17:
        sp_256_mont_sqr_5(ctx->x, ctx->t4, p256_mod, p256_mp_mod);
        ctx->state = 18;
        break;
    case 18:
        sp_256_mont_sub_5(ctx->x, ctx->x, ctx->t5, p256_mod);
        ctx->state = 19;
        break;
    case 19:
        sp_256_mont_mul_5(ctx->t5, ctx->t5, ctx->t3, p256_mod, p256_mp_mod);
        ctx->state = 20;
        break;
    case 20:
        sp_256_mont_dbl_5(ctx->t3, ctx->y, p256_mod);
        sp_256_mont_sub_5(ctx->x, ctx->x, ctx->t3, p256_mod);
        ctx->state = 21;
        break;
    case 21:
        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
        sp_256_mont_sub_5(ctx->y, ctx->y, ctx->x, p256_mod);
        ctx->state = 22;
        break;
    case 22:
        sp_256_mont_mul_5(ctx->y, ctx->y, ctx->t4, p256_mod, p256_mp_mod);
        ctx->state = 23;
        break;
    case 23:
        sp_256_mont_sub_5(ctx->y, ctx->y, ctx->t5, p256_mod);
        ctx->state = 24;
        break;
    case 24:
    {
        {
            int i;
            sp_digit maskp = 0 - (q->infinity & (!p->infinity));
            sp_digit maskq = 0 - (p->infinity & (!q->infinity));
            sp_digit maskt = ~(maskp | maskq);
            sp_digit inf = (sp_digit)(p->infinity & q->infinity);

            for (i = 0; i < 5; i++) {
                r->x[i] = (p->x[i] & maskp) | (q->x[i] & maskq) |
                          (ctx->x[i] & maskt);
            }
            for (i = 0; i < 5; i++) {
                r->y[i] = (p->y[i] & maskp) | (q->y[i] & maskq) |
                          (ctx->y[i] & maskt);
            }
            for (i = 0; i < 5; i++) {
                r->z[i] = (p->z[i] & maskp) | (q->z[i] & maskq) |
                          (ctx->z[i] & maskt);
            }
            r->z[0] |= inf;
            r->infinity = (word32)inf;
        }
        ctx->state = 25;
        break;
    }
    case 25:
        err = MP_OKAY;
        break;
    }

    if (err == MP_OKAY && ctx->state != 25) {
        err = FP_WOULDBLOCK;
    }
    return err;
}
#endif /* WOLFSSL_SP_NONBLOCK */

/* Multiply a number by Montgomery normalizer mod modulus (prime).
 *
 * r  The resulting Montgomery form number.
 * a  The number to convert.
 * m  The modulus (prime).
 * returns MEMORY_E when memory allocation fails and MP_OKAY otherwise.
 */
static int sp_256_mod_mul_norm_5(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    int64_t* t = NULL;
#else
    int64_t t[2 * 8];
#endif
    int64_t* a32 = NULL;
    int64_t o;
    int err = MP_OKAY;

    (void)m;

#ifdef WOLFSSL_SP_SMALL_STACK
    t = (int64_t*)XMALLOC(sizeof(int64_t) * 2 * 8, NULL, DYNAMIC_TYPE_ECC);
    if (t == NULL)
        return MEMORY_E;
#endif

    if (err == MP_OKAY) {
        a32 = t + 8;

        a32[0] = (sp_digit)(a[0]) & 0xffffffffL;
        a32[1] = (sp_digit)(a[0] >> 32U);
        a32[1] |= (sp_digit)(a[1] << 20U);
        a32[1] &= 0xffffffffL;
        a32[2] = (sp_digit)(a[1] >> 12U) & 0xffffffffL;
        a32[3] = (sp_digit)(a[1] >> 44U);
        a32[3] |= (sp_digit)(a[2] << 8U);
        a32[3] &= 0xffffffffL;
        a32[4] = (sp_digit)(a[2] >> 24U);
        a32[4] |= (sp_digit)(a[3] << 28U);
        a32[4] &= 0xffffffffL;
        a32[5] = (sp_digit)(a[3] >> 4U) & 0xffffffffL;
        a32[6] = (sp_digit)(a[3] >> 36U);
        a32[6] |= (sp_digit)(a[4] << 16U);
        a32[6] &= 0xffffffffL;
        a32[7] = (sp_digit)(a[4] >> 16U) & 0xffffffffL;

        /*  1  1  0 -1 -1 -1 -1  0 */
        t[0] = 0 + a32[0] + a32[1] - a32[3] - a32[4] - a32[5] - a32[6];
        /*  0  1  1  0 -1 -1 -1 -1 */
        t[1] = 0 + a32[1] + a32[2] - a32[4] - a32[5] - a32[6] - a32[7];
        /*  0  0  1  1  0 -1 -1 -1 */
        t[2] = 0 + a32[2] + a32[3] - a32[5] - a32[6] - a32[7];
        /* -1 -1  0  2  2  1  0 -1 */
        t[3] = 0 - a32[0] - a32[1] + 2 * a32[3] + 2 * a32[4] + a32[5] - a32[7];
        /*  0 -1 -1  0  2  2  1  0 */
        t[4] = 0 - a32[1] - a32[2] + 2 * a32[4] + 2 * a32[5] + a32[6];
        /*  0  0 -1 -1  0  2  2  1 */
        t[5] = 0 - a32[2] - a32[3] + 2 * a32[5] + 2 * a32[6] + a32[7];
        /* -1 -1  0  0  0  1  3  2 */
        t[6] = 0 - a32[0] - a32[1] + a32[5] + 3 * a32[6] + 2 * a32[7];
        /*  1  0 -1 -1 -1 -1  0  3 */
        t[7] = 0 + a32[0] - a32[2] - a32[3] - a32[4] - a32[5] + 3 * a32[7];

        t[1] += t[0] >> 32U; t[0] &= 0xffffffffL;
        t[2] += t[1] >> 32U; t[1] &= 0xffffffffL;
        t[3] += t[2] >> 32U; t[2] &= 0xffffffffL;
        t[4] += t[3] >> 32U; t[3] &= 0xffffffffL;
        t[5] += t[4] >> 32U; t[4] &= 0xffffffffL;
        t[6] += t[5] >> 32U; t[5] &= 0xffffffffL;
        t[7] += t[6] >> 32U; t[6] &= 0xffffffffL;
        o     = t[7] >> 32U; t[7] &= 0xffffffffL;
        t[0] += o;
        t[3] -= o;
        t[6] -= o;
        t[7] += o;
        t[1] += t[0] >> 32U; t[0] &= 0xffffffffL;
        t[2] += t[1] >> 32U; t[1] &= 0xffffffffL;
        t[3] += t[2] >> 32U; t[2] &= 0xffffffffL;
        t[4] += t[3] >> 32U; t[3] &= 0xffffffffL;
        t[5] += t[4] >> 32U; t[4] &= 0xffffffffL;
        t[6] += t[5] >> 32U; t[5] &= 0xffffffffL;
        t[7] += t[6] >> 32U; t[6] &= 0xffffffffL;

        r[0] = t[0];
        r[0] |= t[1] << 32U;
        r[0] &= 0xfffffffffffffLL;
        r[1] = (t[1] >> 20);
        r[1] |= t[2] << 12U;
        r[1] |= t[3] << 44U;
        r[1] &= 0xfffffffffffffLL;
        r[2] = (t[3] >> 8);
        r[2] |= t[4] << 24U;
        r[2] &= 0xfffffffffffffLL;
        r[3] = (t[4] >> 28);
        r[3] |= t[5] << 4U;
        r[3] |= t[6] << 36U;
        r[3] &= 0xfffffffffffffLL;
        r[4] = (t[6] >> 16);
        r[4] |= t[7] << 16U;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t != NULL)
        XFREE(t, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#ifdef WOLFSSL_SP_SMALL
/* Multiply the point by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * Small implementation using add and double that is cache attack resistant but
 * allocates memory rather than use large stacks.
 * 256 adds and doubles.
 *
 * r     Resulting point.
 * g     Point to multiply.
 * k     Scalar to multiply by.
 * map   Indicates whether to convert result to affine.
 * ct    Constant time required.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_256_ecc_mulmod_5(sp_point_256* r, const sp_point_256* g,
        const sp_digit* k, int map, int ct, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_256* t = NULL;
    sp_digit* tmp = NULL;
#else
    sp_point_256 t[3];
    sp_digit tmp[2 * 5 * 6];
#endif
    sp_digit n;
    int i;
    int c;
    int y;
    int err = MP_OKAY;

    /* Implementation is constant time. */
    (void)ct;
    (void)heap;

#ifdef WOLFSSL_SP_SMALL_STACK
    t = (sp_point_256*)XMALLOC(sizeof(sp_point_256) * 3, heap,
                                     DYNAMIC_TYPE_ECC);
    if (t == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 5 * 6, heap,
                                 DYNAMIC_TYPE_ECC);
        if (tmp == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        XMEMSET(t, 0, sizeof(sp_point_256) * 3);

        /* t[0] = {0, 0, 1} * norm */
        t[0].infinity = 1;
        /* t[1] = {g->x, g->y, g->z} * norm */
        err = sp_256_mod_mul_norm_5(t[1].x, g->x, p256_mod);
    }
    if (err == MP_OKAY)
        err = sp_256_mod_mul_norm_5(t[1].y, g->y, p256_mod);
    if (err == MP_OKAY)
        err = sp_256_mod_mul_norm_5(t[1].z, g->z, p256_mod);

    if (err == MP_OKAY) {
        i = 4;
        c = 48;
        n = k[i--] << (52 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1)
                    break;

                n = k[i--];
                c = 52;
            }

            y = (n >> 51) & 1;
            n <<= 1;

            sp_256_proj_point_add_5(&t[y^1], &t[0], &t[1], tmp);

            XMEMCPY(&t[2], (void*)(((size_t)&t[0] & addr_mask[y^1]) +
                                   ((size_t)&t[1] & addr_mask[y])),
                    sizeof(sp_point_256));
            sp_256_proj_point_dbl_5(&t[2], &t[2], tmp);
            XMEMCPY((void*)(((size_t)&t[0] & addr_mask[y^1]) +
                            ((size_t)&t[1] & addr_mask[y])), &t[2],
                    sizeof(sp_point_256));
        }

        if (map != 0) {
            sp_256_map_5(r, &t[0], tmp);
        }
        else {
            XMEMCPY(r, &t[0], sizeof(sp_point_256));
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (tmp != NULL)
#endif
    {
        ForceZero(tmp, sizeof(sp_digit) * 2 * 5 * 6);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
    #endif
    }
#ifdef WOLFSSL_SP_SMALL_STACK
    if (t != NULL)
#endif
    {
        ForceZero(t, sizeof(sp_point_256) * 3);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(t, heap, DYNAMIC_TYPE_ECC);
    #endif
    }

    return err;
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_256_ecc_mulmod_5_ctx {
    int state;
    union {
        sp_256_proj_point_dbl_5_ctx dbl_ctx;
        sp_256_proj_point_add_5_ctx add_ctx;
    };
    sp_point_256 t[3];
    sp_digit tmp[2 * 5 * 6];
    sp_digit n;
    int i;
    int c;
    int y;
} sp_256_ecc_mulmod_5_ctx;

static int sp_256_ecc_mulmod_5_nb(sp_ecc_ctx_t* sp_ctx, sp_point_256* r,
    const sp_point_256* g, const sp_digit* k, int map, int ct, void* heap)
{
    int err = FP_WOULDBLOCK;
    sp_256_ecc_mulmod_5_ctx* ctx = (sp_256_ecc_mulmod_5_ctx*)sp_ctx->data;

    typedef char ctx_size_test[sizeof(sp_256_ecc_mulmod_5_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    /* Implementation is constant time. */
    (void)ct;

    switch (ctx->state) {
    case 0: /* INIT */
        XMEMSET(ctx->t, 0, sizeof(sp_point_256) * 3);
        ctx->i = 4;
        ctx->c = 48;
        ctx->n = k[ctx->i--] << (52 - ctx->c);

        /* t[0] = {0, 0, 1} * norm */
        ctx->t[0].infinity = 1;
        ctx->state = 1;
        break;
    case 1: /* T1X */
        /* t[1] = {g->x, g->y, g->z} * norm */
        err = sp_256_mod_mul_norm_5(ctx->t[1].x, g->x, p256_mod);
        ctx->state = 2;
        break;
    case 2: /* T1Y */
        err = sp_256_mod_mul_norm_5(ctx->t[1].y, g->y, p256_mod);
        ctx->state = 3;
        break;
    case 3: /* T1Z */
        err = sp_256_mod_mul_norm_5(ctx->t[1].z, g->z, p256_mod);
        ctx->state = 4;
        break;
    case 4: /* ADDPREP */
        if (ctx->c == 0) {
            if (ctx->i == -1) {
                ctx->state = 7;
                break;
            }

            ctx->n = k[ctx->i--];
            ctx->c = 52;
        }
        ctx->y = (ctx->n >> 51) & 1;
        ctx->n <<= 1;
        XMEMSET(&ctx->add_ctx, 0, sizeof(ctx->add_ctx));
        ctx->state = 5;
        break;
    case 5: /* ADD */
        err = sp_256_proj_point_add_5_nb((sp_ecc_ctx_t*)&ctx->add_ctx,
            &ctx->t[ctx->y^1], &ctx->t[0], &ctx->t[1], ctx->tmp);
        if (err == MP_OKAY) {
            XMEMCPY(&ctx->t[2], (void*)(((size_t)&ctx->t[0] & addr_mask[ctx->y^1]) +
                                        ((size_t)&ctx->t[1] & addr_mask[ctx->y])),
                    sizeof(sp_point_256));
            XMEMSET(&ctx->dbl_ctx, 0, sizeof(ctx->dbl_ctx));
            ctx->state = 6;
        }
        break;
    case 6: /* DBL */
        err = sp_256_proj_point_dbl_5_nb((sp_ecc_ctx_t*)&ctx->dbl_ctx, &ctx->t[2],
            &ctx->t[2], ctx->tmp);
        if (err == MP_OKAY) {
            XMEMCPY((void*)(((size_t)&ctx->t[0] & addr_mask[ctx->y^1]) +
                            ((size_t)&ctx->t[1] & addr_mask[ctx->y])), &ctx->t[2],
                    sizeof(sp_point_256));
            ctx->state = 4;
            ctx->c--;
        }
        break;
    case 7: /* MAP */
        if (map != 0) {
            sp_256_map_5(r, &ctx->t[0], ctx->tmp);
        }
        else {
            XMEMCPY(r, &ctx->t[0], sizeof(sp_point_256));
        }
        err = MP_OKAY;
        break;
    }

    if (err == MP_OKAY && ctx->state != 7) {
        err = FP_WOULDBLOCK;
    }
    if (err != FP_WOULDBLOCK) {
        ForceZero(ctx->tmp, sizeof(ctx->tmp));
        ForceZero(ctx->t, sizeof(ctx->t));
    }

    (void)heap;

    return err;
}

#endif /* WOLFSSL_SP_NONBLOCK */

#else
/* A table entry for pre-computed points. */
typedef struct sp_table_entry_256 {
    sp_digit x[5];
    sp_digit y[5];
} sp_table_entry_256;

/* Conditionally copy a into r using the mask m.
 * m is -1 to copy and 0 when not.
 *
 * r  A single precision number to copy over.
 * a  A single precision number to copy.
 * m  Mask value to apply.
 */
static void sp_256_cond_copy_5(sp_digit* r, const sp_digit* a, const sp_digit m)
{
    sp_digit t[5];
#ifdef WOLFSSL_SP_SMALL
    int i;

    for (i = 0; i < 5; i++) {
        t[i] = r[i] ^ a[i];
    }
    for (i = 0; i < 5; i++) {
        r[i] ^= t[i] & m;
    }
#else
    t[ 0] = r[ 0] ^ a[ 0];
    t[ 1] = r[ 1] ^ a[ 1];
    t[ 2] = r[ 2] ^ a[ 2];
    t[ 3] = r[ 3] ^ a[ 3];
    t[ 4] = r[ 4] ^ a[ 4];
    r[ 0] ^= t[ 0] & m;
    r[ 1] ^= t[ 1] & m;
    r[ 2] ^= t[ 2] & m;
    r[ 3] ^= t[ 3] & m;
    r[ 4] ^= t[ 4] & m;
#endif /* WOLFSSL_SP_SMALL */
}

/* Double the Montgomery form projective point p a number of times.
 *
 * r  Result of repeated doubling of point.
 * p  Point to double.
 * n  Number of times to double
 * t  Temporary ordinate data.
 */
static void sp_256_proj_point_dbl_n_5(sp_point_256* p, int i,
    sp_digit* t)
{
    sp_digit* w = t;
    sp_digit* a = t + 2*5;
    sp_digit* b = t + 4*5;
    sp_digit* t1 = t + 6*5;
    sp_digit* t2 = t + 8*5;
    sp_digit* x;
    sp_digit* y;
    sp_digit* z;
    volatile int n = i;

    x = p->x;
    y = p->y;
    z = p->z;

    /* Y = 2*Y */
    sp_256_mont_dbl_5(y, y, p256_mod);
    /* W = Z^4 */
    sp_256_mont_sqr_5(w, z, p256_mod, p256_mp_mod);
    sp_256_mont_sqr_5(w, w, p256_mod, p256_mp_mod);
#ifndef WOLFSSL_SP_SMALL
    while (--n > 0)
#else
    while (--n >= 0)
#endif
    {
        /* A = 3*(X^2 - W) */
        sp_256_mont_sqr_5(t1, x, p256_mod, p256_mp_mod);
        sp_256_mont_sub_5(t1, t1, w, p256_mod);
        sp_256_mont_tpl_5(a, t1, p256_mod);
        /* B = X*Y^2 */
        sp_256_mont_sqr_5(t1, y, p256_mod, p256_mp_mod);
        sp_256_mont_mul_5(b, t1, x, p256_mod, p256_mp_mod);
        /* X = A^2 - 2B */
        sp_256_mont_sqr_5(x, a, p256_mod, p256_mp_mod);
        sp_256_mont_dbl_5(t2, b, p256_mod);
        sp_256_mont_sub_5(x, x, t2, p256_mod);
        /* B = 2.(B - X) */
        sp_256_mont_sub_5(t2, b, x, p256_mod);
        sp_256_mont_dbl_5(b, t2, p256_mod);
        /* Z = Z*Y */
        sp_256_mont_mul_5(z, z, y, p256_mod, p256_mp_mod);
        /* t1 = Y^4 */
        sp_256_mont_sqr_5(t1, t1, p256_mod, p256_mp_mod);
#ifdef WOLFSSL_SP_SMALL
        if (n != 0)
#endif
        {
            /* W = W*Y^4 */
            sp_256_mont_mul_5(w, w, t1, p256_mod, p256_mp_mod);
        }
        /* y = 2*A*(B - X) - Y^4 */
        sp_256_mont_mul_5(y, b, a, p256_mod, p256_mp_mod);
        sp_256_mont_sub_5(y, y, t1, p256_mod);
    }
#ifndef WOLFSSL_SP_SMALL
    /* A = 3*(X^2 - W) */
    sp_256_mont_sqr_5(t1, x, p256_mod, p256_mp_mod);
    sp_256_mont_sub_5(t1, t1, w, p256_mod);
    sp_256_mont_tpl_5(a, t1, p256_mod);
    /* B = X*Y^2 */
    sp_256_mont_sqr_5(t1, y, p256_mod, p256_mp_mod);
    sp_256_mont_mul_5(b, t1, x, p256_mod, p256_mp_mod);
    /* X = A^2 - 2B */
    sp_256_mont_sqr_5(x, a, p256_mod, p256_mp_mod);
    sp_256_mont_dbl_5(t2, b, p256_mod);
    sp_256_mont_sub_5(x, x, t2, p256_mod);
    /* B = 2.(B - X) */
    sp_256_mont_sub_5(t2, b, x, p256_mod);
    sp_256_mont_dbl_5(b, t2, p256_mod);
    /* Z = Z*Y */
    sp_256_mont_mul_5(z, z, y, p256_mod, p256_mp_mod);
    /* t1 = Y^4 */
    sp_256_mont_sqr_5(t1, t1, p256_mod, p256_mp_mod);
    /* y = 2*A*(B - X) - Y^4 */
    sp_256_mont_mul_5(y, b, a, p256_mod, p256_mp_mod);
    sp_256_mont_sub_5(y, y, t1, p256_mod);
#endif /* WOLFSSL_SP_SMALL */
    /* Y = Y/2 */
    sp_256_mont_div2_5(y, y, p256_mod);
}

/* Double the Montgomery form projective point p a number of times.
 *
 * r  Result of repeated doubling of point.
 * p  Point to double.
 * n  Number of times to double
 * t  Temporary ordinate data.
 */
static void sp_256_proj_point_dbl_n_store_5(sp_point_256* r,
        const sp_point_256* p, int n, int m, sp_digit* t)
{
    sp_digit* w = t;
    sp_digit* a = t + 2*5;
    sp_digit* b = t + 4*5;
    sp_digit* t1 = t + 6*5;
    sp_digit* t2 = t + 8*5;
    sp_digit* x = r[2*m].x;
    sp_digit* y = r[(1<<n)*m].y;
    sp_digit* z = r[2*m].z;
    int i;
    int j;

    for (i=0; i<5; i++) {
        x[i] = p->x[i];
    }
    for (i=0; i<5; i++) {
        y[i] = p->y[i];
    }
    for (i=0; i<5; i++) {
        z[i] = p->z[i];
    }

    /* Y = 2*Y */
    sp_256_mont_dbl_5(y, y, p256_mod);
    /* W = Z^4 */
    sp_256_mont_sqr_5(w, z, p256_mod, p256_mp_mod);
    sp_256_mont_sqr_5(w, w, p256_mod, p256_mp_mod);
    j = m;
    for (i=1; i<=n; i++) {
        j *= 2;

        /* A = 3*(X^2 - W) */
        sp_256_mont_sqr_5(t1, x, p256_mod, p256_mp_mod);
        sp_256_mont_sub_5(t1, t1, w, p256_mod);
        sp_256_mont_tpl_5(a, t1, p256_mod);
        /* B = X*Y^2 */
        sp_256_mont_sqr_5(t1, y, p256_mod, p256_mp_mod);
        sp_256_mont_mul_5(b, t1, x, p256_mod, p256_mp_mod);
        x = r[j].x;
        /* X = A^2 - 2B */
        sp_256_mont_sqr_5(x, a, p256_mod, p256_mp_mod);
        sp_256_mont_dbl_5(t2, b, p256_mod);
        sp_256_mont_sub_5(x, x, t2, p256_mod);
        /* B = 2.(B - X) */
        sp_256_mont_sub_5(t2, b, x, p256_mod);
        sp_256_mont_dbl_5(b, t2, p256_mod);
        /* Z = Z*Y */
        sp_256_mont_mul_5(r[j].z, z, y, p256_mod, p256_mp_mod);
        z = r[j].z;
        /* t1 = Y^4 */
        sp_256_mont_sqr_5(t1, t1, p256_mod, p256_mp_mod);
        if (i != n) {
            /* W = W*Y^4 */
            sp_256_mont_mul_5(w, w, t1, p256_mod, p256_mp_mod);
        }
        /* y = 2*A*(B - X) - Y^4 */
        sp_256_mont_mul_5(y, b, a, p256_mod, p256_mp_mod);
        sp_256_mont_sub_5(y, y, t1, p256_mod);
        /* Y = Y/2 */
        sp_256_mont_div2_5(r[j].y, y, p256_mod);
        r[j].infinity = 0;
    }
}

/* Add two Montgomery form projective points.
 *
 * ra  Result of addition.
 * rs  Result of subtraction.
 * p   First point to add.
 * q   Second point to add.
 * t   Temporary ordinate data.
 */
static void sp_256_proj_point_add_sub_5(sp_point_256* ra,
        sp_point_256* rs, const sp_point_256* p, const sp_point_256* q,
        sp_digit* t)
{
    sp_digit* t1 = t;
    sp_digit* t2 = t + 2*5;
    sp_digit* t3 = t + 4*5;
    sp_digit* t4 = t + 6*5;
    sp_digit* t5 = t + 8*5;
    sp_digit* t6 = t + 10*5;
    sp_digit* xa = ra->x;
    sp_digit* ya = ra->y;
    sp_digit* za = ra->z;
    sp_digit* xs = rs->x;
    sp_digit* ys = rs->y;
    sp_digit* zs = rs->z;


    XMEMCPY(xa, p->x, sizeof(p->x) / 2);
    XMEMCPY(ya, p->y, sizeof(p->y) / 2);
    XMEMCPY(za, p->z, sizeof(p->z) / 2);
    ra->infinity = 0;
    rs->infinity = 0;

    /* U1 = X1*Z2^2 */
    sp_256_mont_sqr_5(t1, q->z, p256_mod, p256_mp_mod);
    sp_256_mont_mul_5(t3, t1, q->z, p256_mod, p256_mp_mod);
    sp_256_mont_mul_5(t1, t1, xa, p256_mod, p256_mp_mod);
    /* U2 = X2*Z1^2 */
    sp_256_mont_sqr_5(t2, za, p256_mod, p256_mp_mod);
    sp_256_mont_mul_5(t4, t2, za, p256_mod, p256_mp_mod);
    sp_256_mont_mul_5(t2, t2, q->x, p256_mod, p256_mp_mod);
    /* S1 = Y1*Z2^3 */
    sp_256_mont_mul_5(t3, t3, ya, p256_mod, p256_mp_mod);
    /* S2 = Y2*Z1^3 */
    sp_256_mont_mul_5(t4, t4, q->y, p256_mod, p256_mp_mod);
    /* H = U2 - U1 */
    sp_256_mont_sub_5(t2, t2, t1, p256_mod);
    /* RS = S2 + S1 */
    sp_256_mont_add_5(t6, t4, t3, p256_mod);
    /* R = S2 - S1 */
    sp_256_mont_sub_5(t4, t4, t3, p256_mod);
    /* Z3 = H*Z1*Z2 */
    /* ZS = H*Z1*Z2 */
    sp_256_mont_mul_5(za, za, q->z, p256_mod, p256_mp_mod);
    sp_256_mont_mul_5(za, za, t2, p256_mod, p256_mp_mod);
    XMEMCPY(zs, za, sizeof(p->z)/2);
    /* X3 = R^2 - H^3 - 2*U1*H^2 */
    /* XS = RS^2 - H^3 - 2*U1*H^2 */
    sp_256_mont_sqr_5(xa, t4, p256_mod, p256_mp_mod);
    sp_256_mont_sqr_5(xs, t6, p256_mod, p256_mp_mod);
    sp_256_mont_sqr_5(t5, t2, p256_mod, p256_mp_mod);
    sp_256_mont_mul_5(ya, t1, t5, p256_mod, p256_mp_mod);
    sp_256_mont_mul_5(t5, t5, t2, p256_mod, p256_mp_mod);
    sp_256_mont_sub_5(xa, xa, t5, p256_mod);
    sp_256_mont_sub_5(xs, xs, t5, p256_mod);
    sp_256_mont_dbl_5(t1, ya, p256_mod);
    sp_256_mont_sub_5(xa, xa, t1, p256_mod);
    sp_256_mont_sub_5(xs, xs, t1, p256_mod);
    /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
    /* YS = -RS*(U1*H^2 - XS) - S1*H^3 */
    sp_256_mont_sub_5(ys, ya, xs, p256_mod);
    sp_256_mont_sub_5(ya, ya, xa, p256_mod);
    sp_256_mont_mul_5(ya, ya, t4, p256_mod, p256_mp_mod);
    sp_256_sub_5(t6, p256_mod, t6);
    sp_256_mont_mul_5(ys, ys, t6, p256_mod, p256_mp_mod);
    sp_256_mont_mul_5(t5, t5, t3, p256_mod, p256_mp_mod);
    sp_256_mont_sub_5(ya, ya, t5, p256_mod);
    sp_256_mont_sub_5(ys, ys, t5, p256_mod);
}

/* Structure used to describe recoding of scalar multiplication. */
typedef struct ecc_recode_256 {
    /* Index into pre-computation table. */
    uint8_t i;
    /* Use the negative of the point. */
    uint8_t neg;
} ecc_recode_256;

/* The index into pre-computation table to use. */
static const uint8_t recode_index_5_6[66] = {
     0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15,
    16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
    32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17,
    16, 15, 14, 13, 12, 11, 10,  9,  8,  7,  6,  5,  4,  3,  2,  1,
     0,  1,
};

/* Whether to negate y-ordinate. */
static const uint8_t recode_neg_5_6[66] = {
     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
     0,  0,
};

/* Recode the scalar for multiplication using pre-computed values and
 * subtraction.
 *
 * k  Scalar to multiply by.
 * v  Vector of operations to perform.
 */
static void sp_256_ecc_recode_6_5(const sp_digit* k, ecc_recode_256* v)
{
    int i;
    int j;
    uint8_t y;
    int carry = 0;
    int o;
    sp_digit n;

    j = 0;
    n = k[j];
    o = 0;
    for (i=0; i<43; i++) {
        y = (int8_t)n;
        if (o + 6 < 52) {
            y &= 0x3f;
            n >>= 6;
            o += 6;
        }
        else if (o + 6 == 52) {
            n >>= 6;
            if (++j < 5)
                n = k[j];
            o = 0;
        }
        else if (++j < 5) {
            n = k[j];
            y |= (uint8_t)((n << (52 - o)) & 0x3f);
            o -= 46;
            n >>= o;
        }

        y += (uint8_t)carry;
        v[i].i = recode_index_5_6[y];
        v[i].neg = recode_neg_5_6[y];
        carry = (y >> 6) + v[i].neg;
    }
}

#ifndef WC_NO_CACHE_RESISTANT
/* Touch each possible point that could be being copied.
 *
 * r      Point to copy into.
 * table  Table - start of the entries to access
 * idx    Index of entry to retrieve.
 */
static void sp_256_get_point_33_5(sp_point_256* r, const sp_point_256* table,
    int idx)
{
    int i;
    sp_digit mask;

    r->x[0] = 0;
    r->x[1] = 0;
    r->x[2] = 0;
    r->x[3] = 0;
    r->x[4] = 0;
    r->y[0] = 0;
    r->y[1] = 0;
    r->y[2] = 0;
    r->y[3] = 0;
    r->y[4] = 0;
    r->z[0] = 0;
    r->z[1] = 0;
    r->z[2] = 0;
    r->z[3] = 0;
    r->z[4] = 0;
    for (i = 1; i < 33; i++) {
        mask = 0 - (i == idx);
        r->x[0] |= mask & table[i].x[0];
        r->x[1] |= mask & table[i].x[1];
        r->x[2] |= mask & table[i].x[2];
        r->x[3] |= mask & table[i].x[3];
        r->x[4] |= mask & table[i].x[4];
        r->y[0] |= mask & table[i].y[0];
        r->y[1] |= mask & table[i].y[1];
        r->y[2] |= mask & table[i].y[2];
        r->y[3] |= mask & table[i].y[3];
        r->y[4] |= mask & table[i].y[4];
        r->z[0] |= mask & table[i].z[0];
        r->z[1] |= mask & table[i].z[1];
        r->z[2] |= mask & table[i].z[2];
        r->z[3] |= mask & table[i].z[3];
        r->z[4] |= mask & table[i].z[4];
    }
}
#endif /* !WC_NO_CACHE_RESISTANT */
/* Multiply the point by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * Window technique of 6 bits. (Add-Sub variation.)
 * Calculate 0..32 times the point. Use function that adds and
 * subtracts the same two points.
 * Recode to add or subtract one of the computed points.
 * Double to push up.
 * NOT a sliding window.
 *
 * r     Resulting point.
 * g     Point to multiply.
 * k     Scalar to multiply by.
 * map   Indicates whether to convert result to affine.
 * ct    Constant time required.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_256_ecc_mulmod_win_add_sub_5(sp_point_256* r, const sp_point_256* g,
        const sp_digit* k, int map, int ct, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_256* t = NULL;
    sp_digit* tmp = NULL;
#else
    sp_point_256 t[33+2];
    sp_digit tmp[2 * 5 * 6];
#endif
    sp_point_256* rt = NULL;
    sp_point_256* p = NULL;
    sp_digit* negy;
    int i;
    ecc_recode_256 v[43];
    int err = MP_OKAY;

    /* Constant time used for cache attack resistance implementation. */
    (void)ct;
    (void)heap;

#ifdef WOLFSSL_SP_SMALL_STACK
    t = (sp_point_256*)XMALLOC(sizeof(sp_point_256) *
        (33+2), heap, DYNAMIC_TYPE_ECC);
    if (t == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 5 * 6,
                                 heap, DYNAMIC_TYPE_ECC);
        if (tmp == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        rt = t + 33;
        p  = t + 33+1;

        /* t[0] = {0, 0, 1} * norm */
        XMEMSET(&t[0], 0, sizeof(t[0]));
        t[0].infinity = 1;
        /* t[1] = {g->x, g->y, g->z} * norm */
        err = sp_256_mod_mul_norm_5(t[1].x, g->x, p256_mod);
    }
    if (err == MP_OKAY) {
        err = sp_256_mod_mul_norm_5(t[1].y, g->y, p256_mod);
    }
    if (err == MP_OKAY) {
        err = sp_256_mod_mul_norm_5(t[1].z, g->z, p256_mod);
    }

    if (err == MP_OKAY) {
        t[1].infinity = 0;
        /* t[2] ... t[32]  */
        sp_256_proj_point_dbl_n_store_5(t, &t[ 1], 5, 1, tmp);
        sp_256_proj_point_add_5(&t[ 3], &t[ 2], &t[ 1], tmp);
        sp_256_proj_point_dbl_5(&t[ 6], &t[ 3], tmp);
        sp_256_proj_point_add_sub_5(&t[ 7], &t[ 5], &t[ 6], &t[ 1], tmp);
        sp_256_proj_point_dbl_5(&t[10], &t[ 5], tmp);
        sp_256_proj_point_add_sub_5(&t[11], &t[ 9], &t[10], &t[ 1], tmp);
        sp_256_proj_point_dbl_5(&t[12], &t[ 6], tmp);
        sp_256_proj_point_dbl_5(&t[14], &t[ 7], tmp);
        sp_256_proj_point_add_sub_5(&t[15], &t[13], &t[14], &t[ 1], tmp);
        sp_256_proj_point_dbl_5(&t[18], &t[ 9], tmp);
        sp_256_proj_point_add_sub_5(&t[19], &t[17], &t[18], &t[ 1], tmp);
        sp_256_proj_point_dbl_5(&t[20], &t[10], tmp);
        sp_256_proj_point_dbl_5(&t[22], &t[11], tmp);
        sp_256_proj_point_add_sub_5(&t[23], &t[21], &t[22], &t[ 1], tmp);
        sp_256_proj_point_dbl_5(&t[24], &t[12], tmp);
        sp_256_proj_point_dbl_5(&t[26], &t[13], tmp);
        sp_256_proj_point_add_sub_5(&t[27], &t[25], &t[26], &t[ 1], tmp);
        sp_256_proj_point_dbl_5(&t[28], &t[14], tmp);
        sp_256_proj_point_dbl_5(&t[30], &t[15], tmp);
        sp_256_proj_point_add_sub_5(&t[31], &t[29], &t[30], &t[ 1], tmp);

        negy = t[0].y;

        sp_256_ecc_recode_6_5(k, v);

        i = 42;
    #ifndef WC_NO_CACHE_RESISTANT
        if (ct) {
            sp_256_get_point_33_5(rt, t, v[i].i);
            rt->infinity = !v[i].i;
        }
        else
    #endif
        {
            XMEMCPY(rt, &t[v[i].i], sizeof(sp_point_256));
        }
        for (--i; i>=0; i--) {
            sp_256_proj_point_dbl_n_5(rt, 6, tmp);

        #ifndef WC_NO_CACHE_RESISTANT
            if (ct) {
                sp_256_get_point_33_5(p, t, v[i].i);
                p->infinity = !v[i].i;
            }
            else
        #endif
            {
                XMEMCPY(p, &t[v[i].i], sizeof(sp_point_256));
            }
            sp_256_sub_5(negy, p256_mod, p->y);
            sp_256_norm_5(negy);
            sp_256_cond_copy_5(p->y, negy, (sp_digit)0 - v[i].neg);
            sp_256_proj_point_add_5(rt, rt, p, tmp);
        }

        if (map != 0) {
            sp_256_map_5(r, rt, tmp);
        }
        else {
            XMEMCPY(r, rt, sizeof(sp_point_256));
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t != NULL)
        XFREE(t, heap, DYNAMIC_TYPE_ECC);
    if (tmp != NULL)
        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#ifdef FP_ECC
#endif /* FP_ECC */
/* Add two Montgomery form projective points. The second point has a q value of
 * one.
 * Only the first point can be the same pointer as the result point.
 *
 * r  Result of addition.
 * p  First point to add.
 * q  Second point to add.
 * t  Temporary ordinate data.
 */
static void sp_256_proj_point_add_qz1_5(sp_point_256* r,
    const sp_point_256* p, const sp_point_256* q, sp_digit* t)
{
    sp_digit* t2 = t;
    sp_digit* t3 = t + 2*5;
    sp_digit* t6 = t + 4*5;
    sp_digit* t1 = t + 6*5;
    sp_digit* t4 = t + 8*5;
    sp_digit* t5 = t + 10*5;

    /* Calculate values to subtract from P->x and P->y. */
    /* U2 = X2*Z1^2 */
    sp_256_mont_sqr_5(t2, p->z, p256_mod, p256_mp_mod);
    sp_256_mont_mul_5(t4, t2, p->z, p256_mod, p256_mp_mod);
    sp_256_mont_mul_5(t2, t2, q->x, p256_mod, p256_mp_mod);
    /* S2 = Y2*Z1^3 */
    sp_256_mont_mul_5(t4, t4, q->y, p256_mod, p256_mp_mod);

    if ((~p->infinity) & (~q->infinity) &
            sp_256_cmp_equal_5(p->x, t2) &
            sp_256_cmp_equal_5(p->y, t4)) {
        sp_256_proj_point_dbl_5(r, p, t);
    }
    else {
        sp_digit* x = t2;
        sp_digit* y = t3;
        sp_digit* z = t6;

        /* H = U2 - X1 */
        sp_256_mont_sub_5(t2, t2, p->x, p256_mod);
        /* R = S2 - Y1 */
        sp_256_mont_sub_5(t4, t4, p->y, p256_mod);
        /* Z3 = H*Z1 */
        sp_256_mont_mul_5(z, p->z, t2, p256_mod, p256_mp_mod);
        /* X3 = R^2 - H^3 - 2*X1*H^2 */
        sp_256_mont_sqr_5(t1, t2, p256_mod, p256_mp_mod);
        sp_256_mont_mul_5(t3, p->x, t1, p256_mod, p256_mp_mod);
        sp_256_mont_mul_5(t1, t1, t2, p256_mod, p256_mp_mod);
        sp_256_mont_sqr_5(t2, t4, p256_mod, p256_mp_mod);
        sp_256_mont_sub_5(t2, t2, t1, p256_mod);
        sp_256_mont_dbl_5(t5, t3, p256_mod);
        sp_256_mont_sub_5(x, t2, t5, p256_mod);
        /* Y3 = R*(X1*H^2 - X3) - Y1*H^3 */
        sp_256_mont_sub_5(t3, t3, x, p256_mod);
        sp_256_mont_mul_5(t3, t3, t4, p256_mod, p256_mp_mod);
        sp_256_mont_mul_5(t1, t1, p->y, p256_mod, p256_mp_mod);
        sp_256_mont_sub_5(y, t3, t1, p256_mod);
        {
            int i;
            sp_digit maskp = 0 - (q->infinity & (!p->infinity));
            sp_digit maskq = 0 - (p->infinity & (!q->infinity));
            sp_digit maskt = ~(maskp | maskq);
            sp_digit inf = (sp_digit)(p->infinity & q->infinity);

            for (i = 0; i < 5; i++) {
                r->x[i] = (p->x[i] & maskp) | (q->x[i] & maskq) |
                          (x[i] & maskt);
            }
            for (i = 0; i < 5; i++) {
                r->y[i] = (p->y[i] & maskp) | (q->y[i] & maskq) |
                          (y[i] & maskt);
            }
            for (i = 0; i < 5; i++) {
                r->z[i] = (p->z[i] & maskp) | (q->z[i] & maskq) |
                          (z[i] & maskt);
            }
            r->z[0] |= inf;
            r->infinity = (word32)inf;
        }
    }
}

#ifdef FP_ECC
/* Convert the projective point to affine.
 * Ordinates are in Montgomery form.
 *
 * a  Point to convert.
 * t  Temporary data.
 */
static void sp_256_proj_to_affine_5(sp_point_256* a, sp_digit* t)
{
    sp_digit* t1 = t;
    sp_digit* t2 = t + 2 * 5;
    sp_digit* tmp = t + 4 * 5;

    sp_256_mont_inv_5(t1, a->z, tmp);

    sp_256_mont_sqr_5(t2, t1, p256_mod, p256_mp_mod);
    sp_256_mont_mul_5(t1, t2, t1, p256_mod, p256_mp_mod);

    sp_256_mont_mul_5(a->x, a->x, t2, p256_mod, p256_mp_mod);
    sp_256_mont_mul_5(a->y, a->y, t1, p256_mod, p256_mp_mod);
    XMEMCPY(a->z, p256_norm_mod, sizeof(p256_norm_mod));
}

/* Generate the pre-computed table of points for the base point.
 *
 * width = 8
 * 256 entries
 * 32 bits between
 *
 * a      The base point.
 * table  Place to store generated point data.
 * tmp    Temporary data.
 * heap  Heap to use for allocation.
 */
static int sp_256_gen_stripe_table_5(const sp_point_256* a,
        sp_table_entry_256* table, sp_digit* tmp, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_256* t = NULL;
#else
    sp_point_256 t[3];
#endif
    sp_point_256* s1 = NULL;
    sp_point_256* s2 = NULL;
    int i;
    int j;
    int err = MP_OKAY;

    (void)heap;

#ifdef WOLFSSL_SP_SMALL_STACK
    t = (sp_point_256*)XMALLOC(sizeof(sp_point_256) * 3, heap,
                                     DYNAMIC_TYPE_ECC);
    if (t == NULL)
        err = MEMORY_E;
#endif

    if (err == MP_OKAY) {
        s1 = t + 1;
        s2 = t + 2;

        err = sp_256_mod_mul_norm_5(t->x, a->x, p256_mod);
    }
    if (err == MP_OKAY) {
        err = sp_256_mod_mul_norm_5(t->y, a->y, p256_mod);
    }
    if (err == MP_OKAY) {
        err = sp_256_mod_mul_norm_5(t->z, a->z, p256_mod);
    }
    if (err == MP_OKAY) {
        t->infinity = 0;
        sp_256_proj_to_affine_5(t, tmp);

        XMEMCPY(s1->z, p256_norm_mod, sizeof(p256_norm_mod));
        s1->infinity = 0;
        XMEMCPY(s2->z, p256_norm_mod, sizeof(p256_norm_mod));
        s2->infinity = 0;

        /* table[0] = {0, 0, infinity} */
        XMEMSET(&table[0], 0, sizeof(sp_table_entry_256));
        /* table[1] = Affine version of 'a' in Montgomery form */
        XMEMCPY(table[1].x, t->x, sizeof(table->x));
        XMEMCPY(table[1].y, t->y, sizeof(table->y));

        for (i=1; i<8; i++) {
            sp_256_proj_point_dbl_n_5(t, 32, tmp);
            sp_256_proj_to_affine_5(t, tmp);
            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
        }

        for (i=1; i<8; i++) {
            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
                sp_256_proj_point_add_qz1_5(t, s1, s2, tmp);
                sp_256_proj_to_affine_5(t, tmp);
                XMEMCPY(table[j].x, t->x, sizeof(table->x));
                XMEMCPY(table[j].y, t->y, sizeof(table->y));
            }
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t != NULL)
        XFREE(t, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#endif /* FP_ECC */
#ifndef WC_NO_CACHE_RESISTANT
/* Touch each possible entry that could be being copied.
 *
 * r      Point to copy into.
 * table  Table - start of the entries to access
 * idx    Index of entry to retrieve.
 */
static void sp_256_get_entry_256_5(sp_point_256* r,
    const sp_table_entry_256* table, int idx)
{
    int i;
    sp_digit mask;

    r->x[0] = 0;
    r->x[1] = 0;
    r->x[2] = 0;
    r->x[3] = 0;
    r->x[4] = 0;
    r->y[0] = 0;
    r->y[1] = 0;
    r->y[2] = 0;
    r->y[3] = 0;
    r->y[4] = 0;
    for (i = 1; i < 256; i++) {
        mask = 0 - (i == idx);
        r->x[0] |= mask & table[i].x[0];
        r->x[1] |= mask & table[i].x[1];
        r->x[2] |= mask & table[i].x[2];
        r->x[3] |= mask & table[i].x[3];
        r->x[4] |= mask & table[i].x[4];
        r->y[0] |= mask & table[i].y[0];
        r->y[1] |= mask & table[i].y[1];
        r->y[2] |= mask & table[i].y[2];
        r->y[3] |= mask & table[i].y[3];
        r->y[4] |= mask & table[i].y[4];
    }
}
#endif /* !WC_NO_CACHE_RESISTANT */
/* Multiply the point by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * Stripe implementation.
 * Pre-generated: 2^0, 2^32, ...
 * Pre-generated: products of all combinations of above.
 * 8 doubles and adds (with qz=1)
 *
 * r      Resulting point.
 * k      Scalar to multiply by.
 * table  Pre-computed table.
 * map    Indicates whether to convert result to affine.
 * ct     Constant time required.
 * heap   Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_256_ecc_mulmod_stripe_5(sp_point_256* r, const sp_point_256* g,
        const sp_table_entry_256* table, const sp_digit* k, int map,
        int ct, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_256* rt = NULL;
    sp_digit* t = NULL;
#else
    sp_point_256 rt[2];
    sp_digit t[2 * 5 * 6];
#endif
    sp_point_256* p = NULL;
    int i;
    int j;
    int y;
    int x;
    int err = MP_OKAY;

    (void)g;
    /* Constant time used for cache attack resistance implementation. */
    (void)ct;
    (void)heap;


#ifdef WOLFSSL_SP_SMALL_STACK
    rt = (sp_point_256*)XMALLOC(sizeof(sp_point_256) * 2, heap,
                                      DYNAMIC_TYPE_ECC);
    if (rt == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 5 * 6, heap,
                               DYNAMIC_TYPE_ECC);
        if (t == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        p = rt + 1;

        XMEMCPY(p->z, p256_norm_mod, sizeof(p256_norm_mod));
        XMEMCPY(rt->z, p256_norm_mod, sizeof(p256_norm_mod));

        y = 0;
        x = 31;
        for (j=0; j<8; j++) {
            y |= (int)(((k[x / 52] >> (x % 52)) & 1) << j);
            x += 32;
        }
    #ifndef WC_NO_CACHE_RESISTANT
        if (ct) {
            sp_256_get_entry_256_5(rt, table, y);
        } else
    #endif
        {
            XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
            XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
        }
        rt->infinity = !y;
        for (i=30; i>=0; i--) {
            y = 0;
            x = i;
            for (j=0; j<8; j++) {
                y |= (int)(((k[x / 52] >> (x % 52)) & 1) << j);
                x += 32;
            }

            sp_256_proj_point_dbl_5(rt, rt, t);
        #ifndef WC_NO_CACHE_RESISTANT
            if (ct) {
                sp_256_get_entry_256_5(p, table, y);
            }
            else
        #endif
            {
                XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
                XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
            }
            p->infinity = !y;
            sp_256_proj_point_add_qz1_5(rt, rt, p, t);
        }

        if (map != 0) {
            sp_256_map_5(r, rt, t);
        }
        else {
            XMEMCPY(r, rt, sizeof(sp_point_256));
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t != NULL)
        XFREE(t, heap, DYNAMIC_TYPE_ECC);
    if (rt != NULL)
        XFREE(rt, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#ifdef FP_ECC
#ifndef FP_ENTRIES
    #define FP_ENTRIES 16
#endif

/* Cache entry - holds precomputation tables for a point. */
typedef struct sp_cache_256_t {
    /* X ordinate of point that table was generated from. */
    sp_digit x[5];
    /* Y ordinate of point that table was generated from. */
    sp_digit y[5];
    /* Precomputation table for point. */
    sp_table_entry_256 table[256];
    /* Count of entries in table. */
    uint32_t cnt;
    /* Point and table set in entry. */
    int set;
} sp_cache_256_t;

/* Cache of tables. */
static THREAD_LS_T sp_cache_256_t sp_cache_256[FP_ENTRIES];
/* Index of last entry in cache. */
static THREAD_LS_T int sp_cache_256_last = -1;
/* Cache has been initialized. */
static THREAD_LS_T int sp_cache_256_inited = 0;

#ifndef HAVE_THREAD_LS
    static volatile int initCacheMutex_256 = 0;
    static wolfSSL_Mutex sp_cache_256_lock;
#endif

/* Get the cache entry for the point.
 *
 * g      [in]   Point scalar multiplying.
 * cache  [out]  Cache table to use.
 */
static void sp_ecc_get_cache_256(const sp_point_256* g, sp_cache_256_t** cache)
{
    int i;
    int j;
    uint32_t least;

    if (sp_cache_256_inited == 0) {
        for (i=0; i<FP_ENTRIES; i++) {
            sp_cache_256[i].set = 0;
        }
        sp_cache_256_inited = 1;
    }

    /* Compare point with those in cache. */
    for (i=0; i<FP_ENTRIES; i++) {
        if (!sp_cache_256[i].set)
            continue;

        if (sp_256_cmp_equal_5(g->x, sp_cache_256[i].x) &
                           sp_256_cmp_equal_5(g->y, sp_cache_256[i].y)) {
            sp_cache_256[i].cnt++;
            break;
        }
    }

    /* No match. */
    if (i == FP_ENTRIES) {
        /* Find empty entry. */
        i = (sp_cache_256_last + 1) % FP_ENTRIES;
        for (; i != sp_cache_256_last; i=(i+1)%FP_ENTRIES) {
            if (!sp_cache_256[i].set) {
                break;
            }
        }

        /* Evict least used. */
        if (i == sp_cache_256_last) {
            least = sp_cache_256[0].cnt;
            for (j=1; j<FP_ENTRIES; j++) {
                if (sp_cache_256[j].cnt < least) {
                    i = j;
                    least = sp_cache_256[i].cnt;
                }
            }
        }

        XMEMCPY(sp_cache_256[i].x, g->x, sizeof(sp_cache_256[i].x));
        XMEMCPY(sp_cache_256[i].y, g->y, sizeof(sp_cache_256[i].y));
        sp_cache_256[i].set = 1;
        sp_cache_256[i].cnt = 1;
    }

    *cache = &sp_cache_256[i];
    sp_cache_256_last = i;
}
#endif /* FP_ECC */

/* Multiply the base point of P256 by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * r     Resulting point.
 * g     Point to multiply.
 * k     Scalar to multiply by.
 * map   Indicates whether to convert result to affine.
 * ct    Constant time required.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_256_ecc_mulmod_5(sp_point_256* r, const sp_point_256* g,
        const sp_digit* k, int map, int ct, void* heap)
{
#ifndef FP_ECC
    return sp_256_ecc_mulmod_win_add_sub_5(r, g, k, map, ct, heap);
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* tmp;
#else
    sp_digit tmp[2 * 5 * 6];
#endif
    sp_cache_256_t* cache;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 5 * 6, heap, DYNAMIC_TYPE_ECC);
    if (tmp == NULL) {
        err = MEMORY_E;
    }
#endif
#ifndef HAVE_THREAD_LS
    if (err == MP_OKAY) {
        if (initCacheMutex_256 == 0) {
            wc_InitMutex(&sp_cache_256_lock);
            initCacheMutex_256 = 1;
        }
        if (wc_LockMutex(&sp_cache_256_lock) != 0) {
            err = BAD_MUTEX_E;
        }
    }
#endif /* HAVE_THREAD_LS */

    if (err == MP_OKAY) {
        sp_ecc_get_cache_256(g, &cache);
        if (cache->cnt == 2)
            sp_256_gen_stripe_table_5(g, cache->table, tmp, heap);

#ifndef HAVE_THREAD_LS
        wc_UnLockMutex(&sp_cache_256_lock);
#endif /* HAVE_THREAD_LS */

        if (cache->cnt < 2) {
            err = sp_256_ecc_mulmod_win_add_sub_5(r, g, k, map, ct, heap);
        }
        else {
            err = sp_256_ecc_mulmod_stripe_5(r, g, cache->table, k,
                    map, ct, heap);
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
#endif
    return err;
#endif
}

#endif
/* Multiply the point by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * km    Scalar to multiply by.
 * p     Point to multiply.
 * r     Resulting point.
 * map   Indicates whether to convert result to affine.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_mulmod_256(const mp_int* km, const ecc_point* gm, ecc_point* r,
        int map, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_256* point = NULL;
    sp_digit* k = NULL;
#else
    sp_point_256 point[1];
    sp_digit k[5];
#endif
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    point = (sp_point_256*)XMALLOC(sizeof(sp_point_256), heap,
                                         DYNAMIC_TYPE_ECC);
    if (point == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 5, heap,
                               DYNAMIC_TYPE_ECC);
        if (k == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        sp_256_from_mp(k, 5, km);
        sp_256_point_from_ecc_point_5(point, gm);

            err = sp_256_ecc_mulmod_5(point, point, k, map, 1, heap);
    }
    if (err == MP_OKAY) {
        err = sp_256_point_to_ecc_point_5(point, r);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (k != NULL)
        XFREE(k, heap, DYNAMIC_TYPE_ECC);
    if (point != NULL)
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

/* Multiply the point by the scalar, add point a and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * km      Scalar to multiply by.
 * p       Point to multiply.
 * am      Point to add to scalar multiply result.
 * inMont  Point to add is in montgomery form.
 * r       Resulting point.
 * map     Indicates whether to convert result to affine.
 * heap    Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_mulmod_add_256(const mp_int* km, const ecc_point* gm,
    const ecc_point* am, int inMont, ecc_point* r, int map, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_256* point = NULL;
    sp_digit* k = NULL;
#else
    sp_point_256 point[2];
    sp_digit k[5 + 5 * 2 * 6];
#endif
    sp_point_256* addP = NULL;
    sp_digit* tmp = NULL;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    point = (sp_point_256*)XMALLOC(sizeof(sp_point_256) * 2, heap,
                                         DYNAMIC_TYPE_ECC);
    if (point == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        k = (sp_digit*)XMALLOC(
            sizeof(sp_digit) * (5 + 5 * 2 * 6), heap,
            DYNAMIC_TYPE_ECC);
        if (k == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        addP = point + 1;
        tmp = k + 5;

        sp_256_from_mp(k, 5, km);
        sp_256_point_from_ecc_point_5(point, gm);
        sp_256_point_from_ecc_point_5(addP, am);
    }
    if ((err == MP_OKAY) && (!inMont)) {
        err = sp_256_mod_mul_norm_5(addP->x, addP->x, p256_mod);
    }
    if ((err == MP_OKAY) && (!inMont)) {
        err = sp_256_mod_mul_norm_5(addP->y, addP->y, p256_mod);
    }
    if ((err == MP_OKAY) && (!inMont)) {
        err = sp_256_mod_mul_norm_5(addP->z, addP->z, p256_mod);
    }
    if (err == MP_OKAY) {
            err = sp_256_ecc_mulmod_5(point, point, k, 0, 0, heap);
    }
    if (err == MP_OKAY) {
            sp_256_proj_point_add_5(point, point, addP, tmp);

        if (map) {
                sp_256_map_5(point, point, tmp);
        }

        err = sp_256_point_to_ecc_point_5(point, r);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (k != NULL)
        XFREE(k, heap, DYNAMIC_TYPE_ECC);
    if (point != NULL)
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#ifdef WOLFSSL_SP_SMALL
/* Multiply the base point of P256 by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * r     Resulting point.
 * k     Scalar to multiply by.
 * map   Indicates whether to convert result to affine.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_256_ecc_mulmod_base_5(sp_point_256* r, const sp_digit* k,
        int map, int ct, void* heap)
{
    /* No pre-computed values. */
    return sp_256_ecc_mulmod_5(r, &p256_base, k, map, ct, heap);
}

#ifdef WOLFSSL_SP_NONBLOCK
static int sp_256_ecc_mulmod_base_5_nb(sp_ecc_ctx_t* sp_ctx, sp_point_256* r,
        const sp_digit* k, int map, int ct, void* heap)
{
    /* No pre-computed values. */
    return sp_256_ecc_mulmod_5_nb(sp_ctx, r, &p256_base, k, map, ct, heap);
}
#endif /* WOLFSSL_SP_NONBLOCK */


#else
/* Striping precomputation table.
 * 8 points combined into a table of 256 points.
 * Distance of 32 between points.
 */
static const sp_table_entry_256 p256_table[256] = {
    /* 0 */
    { { 0x00, 0x00, 0x00, 0x00, 0x00 },
      { 0x00, 0x00, 0x00, 0x00, 0x00 } },
    /* 1 */
    { { 0x730d418a9143cL,0xfc5fedb60179eL,0x762251075ba95L,0x55c679fb732b7L,
        0x018905f76a537L },
      { 0x25357ce95560aL,0xe4ba19e45cddfL,0xd21f3258b4ab8L,0x5d85d2e88688dL,
        0x08571ff182588L } },
    /* 2 */
    { { 0x886024147519aL,0xac26b372f0202L,0x785ebc8d0981eL,0x58e9a9d4a7caaL,
        0x0d953c50ddbdfL },
      { 0x361ccfd590f8fL,0x6b44e6c9179d6L,0x2eb64cf72e962L,0x88f37fd961102L,
        0x0863ebb7e9eb2L } },
    /* 3 */
    { { 0x6b6235cdb6485L,0xa22f0a2f97785L,0xf7e300b808f0eL,0x80a03e68d9544L,
        0x000076055b5ffL },
      { 0x4eb9b838d2010L,0xbb3243708a763L,0x42a660654014fL,0x3ee0e0e47d398L,
        0x0830877613437L } },
    /* 4 */
    { { 0x22fc516a0d2bbL,0x6c1a6234994f9L,0x7c62c8b0d5cc1L,0x667f9241cf3a5L,
        0x02f5e6961fd1bL },
      { 0x5c70bf5a01797L,0x4d609561925c1L,0x71fdb523d20b4L,0x0f7b04911b370L,
        0x0f648f9168d6fL } },
    /* 5 */
    { { 0x66847e137bbbcL,0x9e8a6a0bec9e5L,0x9d73463e43446L,0x0015b1c427617L,
        0x05abe0285133dL },
      { 0xa837cc04c7dabL,0x4c43260c0792aL,0x8e6cc37573d9fL,0x73830c9315627L,
        0x094bb725b6b6fL } },
    /* 6 */
    { { 0x9b48f720f141cL,0xcd2df5bc74bbfL,0x11045c46199b3L,0xc4efdc3f61294L,
        0x0cdd6bbcb2f7dL },
      { 0x6700beaf436fdL,0x6db99326beccaL,0x14f25226f647fL,0xe5f60c0fa7920L,
        0x0a361bebd4bdaL } },
    /* 7 */
    { { 0xa2558597c13c7L,0x5f50b7c3e128aL,0x3c09d1dc38d63L,0x292c07039aecfL,
        0x0ba12ca09c4b5L },
      { 0x08fa459f91dfdL,0x66ceea07fb9e4L,0xd780b293af43bL,0xef4b1eceb0899L,
        0x053ebb99d701fL } },
    /* 8 */
    { { 0x7ee31b0e63d34L,0x72a9e54fab4feL,0x5e7b5a4f46005L,0x4831c0493334dL,
        0x08589fb9206d5L },
      { 0x0f5cc6583553aL,0x4ae25649e5aa7L,0x0044652087909L,0x1c4fcc9045071L,
        0x0ebb0696d0254L } },
    /* 9 */
    { { 0x6ca15ac1647c5L,0x47c4cf5799461L,0x64dfbacb8127dL,0x7da3dc666aa37L,
        0x0eb2820cbd1b2L },
      { 0x6f8d86a87e008L,0x9d922378f3940L,0x0ccecb2d87dfaL,0xda1d56ed2e428L,
        0x01f28289b55a7L } },
    /* 10 */
    { { 0xaa0c03b89da99L,0x9eb8284022abbL,0x81c05e8a6f2d7L,0x4d6327847862bL,
        0x0337a4b5905e5L },
      { 0x7500d21f7794aL,0xb77d6d7f613c6L,0x4cfd6e8207005L,0xfbd60a5a37810L,
        0x00d65e0d5f4c2L } },
    /* 11 */
    { { 0x09bbeb5275d38L,0x450be0a358d9dL,0x73eb2654268a7L,0xa232f0762ff49L,
        0x0c23da24252f4L },
      { 0x1b84f0b94520cL,0x63b05bd78e5daL,0x4d29ea1096667L,0xcff13a4dcb869L,
        0x019de3b8cc790L } },
    /* 12 */
    { { 0xa716c26c5fe04L,0x0b3bba1bdb183L,0x4cb712c3b28deL,0xcbfd7432c586aL,
        0x0e34dcbd491fcL },
      { 0x8d46baaa58403L,0x8682e97a53b40L,0x6aaa8af9a6974L,0x0f7f9e3901273L,
        0x0e7641f447b4eL } },
    /* 13 */
    { { 0x53941df64ba59L,0xec0b0242fc7d7L,0x1581859d33f10L,0x57bf4f06dfc6aL,
        0x04a12df57052aL },
      { 0x6338f9439dbd0L,0xd4bde53e1fbfaL,0x1f1b314d3c24bL,0xea46fd5e4ffa2L,
        0x06af5aa93bb5bL } },
    /* 14 */
    { { 0x0b69910c91999L,0x402a580491da1L,0x8cc20900a24b4L,0x40133e0094b4bL,
        0x05fe3475a66a4L },
      { 0x8cabdf93e7b4bL,0x1a7c23f91ab0fL,0xd1e6263292b50L,0xa91642e889aecL,
        0x0b544e308ecfeL } },
    /* 15 */
    { { 0x8c6e916ddfdceL,0x66f89179e6647L,0xd4e67e12c3291L,0xc20b4e8d6e764L,
        0x0e0b6b2bda6b0L },
      { 0x12df2bb7efb57L,0xde790c40070d3L,0x79bc9441aac0dL,0x3774f90336ad6L,
        0x071c023de25a6L } },
    /* 16 */
    { { 0x8c244bfe20925L,0xc38fdce86762aL,0xd38706391c19aL,0x24f65a96a5d5dL,
        0x061d587d421d3L },
      { 0x673a2a37173eaL,0x0853778b65e87L,0x5bab43e238480L,0xefbe10f8441e0L,
        0x0fa11fe124621L } },
    /* 17 */
    { { 0x91f2b2cb19ffdL,0x5bb1923c231c8L,0xac5ca8e01ba8dL,0xbedcb6d03d678L,
        0x0586eb04c1f13L },
      { 0x5c6e527e8ed09L,0x3c1819ede20c3L,0x6c652fa1e81a3L,0x4f11278fd6c05L,
        0x019d5ac087086L } },
    /* 18 */
    { { 0x9f581309a4e1fL,0x1be92700741e9L,0xfd28d20ab7de7L,0x563f26a5ef0beL,
        0x0e7c0073f7f9cL },
      { 0xd663a0ef59f76L,0x5420fcb0501f6L,0xa6602d4669b3bL,0x3c0ac08c1f7a7L,
        0x0e08504fec65bL } },
    /* 19 */
    { { 0x8f68da031b3caL,0x9ee6da6d66f09L,0x4f246e86d1cabL,0x96b45bfd81fa9L,
        0x078f018825b09L },
      { 0xefde43a25787fL,0x0d1dccac9bb7eL,0x35bfc368016f8L,0x747a0cea4877bL,
        0x043a773b87e94L } },
    /* 20 */
    { { 0x77734d2b533d5L,0xf6a1bdddc0625L,0x79ec293673b8aL,0x66b1577e7c9aaL,
        0x0bb6de651c3b2L },
      { 0x9303ab65259b3L,0xd3d03a7480e7eL,0xb3cfc27d6a0afL,0xb99bc5ac83d19L,
        0x060b4619a5d18L } },
    /* 21 */
    { { 0xa38e11ae5aa1cL,0x2b49e73658bd6L,0xe5f87edb8b765L,0xffcd0b130014eL,
        0x09d0f27b2aeebL },
      { 0x246317a730a55L,0x2fddbbc83aca9L,0xc019a719c955bL,0xc48d07c1dfe0aL,
        0x0244a566d356eL } },
    /* 22 */
    { { 0x0394aeacf1f96L,0xa9024c271c6dbL,0x2cbd3b99f2122L,0xef692626ac1b8L,
        0x045e58c873581L },
      { 0xf479da38f9dbcL,0x46e888a040d3fL,0x6e0bed7a8aaf1L,0xb7a4945adfb24L,
        0x0c040e21cc1e4L } },
    /* 23 */
    { { 0xaf0006f8117b6L,0xff73a35433847L,0xd9475eb651969L,0x6ec7482b35761L,
        0x01cdf5c97682cL },
      { 0x775b411f04839L,0xf448de16987dbL,0x70b32197dbeacL,0xff3db2921dd1bL,
        0x0046755f8a92dL } },
    /* 24 */
    { { 0xac5d2bce8ffcdL,0x8b2fe61a82cc8L,0x202d6c70d53c4L,0xa5f3f6f161727L,
        0x0046e5e113b83L },
      { 0x8ff64d8007f01L,0x125af43183e7bL,0x5e1a03c7fb1efL,0x005b045c5ea63L,
        0x06e0106c3303dL } },
    /* 25 */
    { { 0x7358488dd73b1L,0x8f995ed0d948cL,0x56a2ab7767070L,0xcf1f38385ea8cL,
        0x0442594ede901L },
      { 0xaa2c912d4b65bL,0x3b96c90c37f8fL,0xe978d1f94c234L,0xe68ed326e4a15L,
        0x0a796fa514c2eL } },
    /* 26 */
    { { 0xfb604823addd7L,0x83e56693b3359L,0xcbf3c809e2a61L,0x66e9f885b78e3L,
        0x0e4ad2da9c697L },
      { 0xf7f428e048a61L,0x8cc092d9a0357L,0x03ed8ef082d19L,0x5143fc3a1af4cL,
        0x0c5e94046c37bL } },
    /* 27 */
    { { 0xa538c2be75f9eL,0xe8cb123a78476L,0x109c04b6fd1a9L,0x4747d85e4df0bL,
        0x063283dafdb46L },
      { 0x28cf7baf2df15L,0x550ad9a7f4ce7L,0x834bcc3e592c4L,0xa938fab226adeL,
        0x068bd19ab1981L } },
    /* 28 */
    { { 0xead511887d659L,0xf4b359305ac08L,0xfe74fe33374d5L,0xdfd696986981cL,
        0x0495292f53c6fL },
      { 0x78c9e1acec896L,0x10ec5b44844a8L,0x64d60a7d964b2L,0x68376696f7e26L,
        0x00ec7530d2603L } },
    /* 29 */
    { { 0x13a05ad2687bbL,0x6af32e21fa2daL,0xdd4607ba1f83bL,0x3f0b390f5ef51L,
        0x00f6207a66486L },
      { 0x7e3bb0f138233L,0x6c272aa718bd6L,0x6ec88aedd66b9L,0x6dcf8ed004072L,
        0x0ff0db07208edL } },
    /* 30 */
    { { 0xfa1014c95d553L,0xfd5d680a8a749L,0xf3b566fa44052L,0x0ea3183b4317fL,
        0x0313b513c8874L },
      { 0x2e2ac08d11549L,0x0bb4dee21cb40L,0x7f2320e071ee1L,0x9f8126b987dd4L,
        0x02d3abcf986f1L } },
    /* 31 */
    { { 0x88501815581a2L,0x56632211af4c2L,0xcab2e999a0a6dL,0x8cdf19ba7a0f0L,
        0x0c036fa10ded9L },
      { 0xe08bac1fbd009L,0x9006d1581629aL,0xb9e0d8f0b68b1L,0x0194c2eb32779L,
        0x0a6b2a2c4b6d4L } },
    /* 32 */
    { { 0x3e50f6d3549cfL,0x6ffacd665ed43L,0xe11fcb46f3369L,0x9860695bfdaccL,
        0x0810ee252af7cL },
      { 0x50fe17159bb2cL,0xbe758b357b654L,0x69fea72f7dfbeL,0x17452b057e74dL,
        0x0d485717a9273L } },
    /* 33 */
    { { 0x41a8af0cb5a98L,0x931f3110bf117L,0xb382adfd3da8fL,0x604e1994e2cbaL,
        0x06a6045a72f9aL },
      { 0xc0d3fa2b2411dL,0x3e510e96e0170L,0x865b3ccbe0eb8L,0x57903bcc9f738L,
        0x0d3e45cfaf9e1L } },
    /* 34 */
    { { 0xf69bbe83f7669L,0x8272877d6bce1L,0x244278d09f8aeL,0xc19c9548ae543L,
        0x0207755dee3c2L },
      { 0xd61d96fef1945L,0xefb12d28c387bL,0x2df64aa18813cL,0xb00d9fbcd1d67L,
        0x048dc5ee57154L } },
    /* 35 */
    { { 0x790bff7e5a199L,0xcf989ccbb7123L,0xa519c79e0efb8L,0xf445c27a2bfe0L,
        0x0f2fb0aeddff6L },
      { 0x09575f0b5025fL,0xd740fa9f2241cL,0x80bfbd0550543L,0xd5258fa3c8ad3L,
        0x0a13e9015db28L } },
    /* 36 */
    { { 0x7a350a2b65cbcL,0x722a464226f9fL,0x23f07a10b04b9L,0x526f265ce241eL,
        0x02bf0d6b01497L },
      { 0x4dd3f4b216fb7L,0x67fbdda26ad3dL,0x708505cf7d7b8L,0xe89faeb7b83f6L,
        0x042a94a5a162fL } },
    /* 37 */
    { { 0x6ad0beaadf191L,0x9025a268d7584L,0x94dc1f60f8a48L,0xde3de86030504L,
        0x02c2dd969c65eL },
      { 0x2171d93849c17L,0xba1da250dd6d0L,0xc3a5485460488L,0x6dbc4810c7063L,
        0x0f437fa1f42c5L } },
    /* 38 */
    { { 0x0d7144a0f7dabL,0x931776e9ac6aaL,0x5f397860f0497L,0x7aa852c0a050fL,
        0x0aaf45b335470L },
      { 0x37c33c18d364aL,0x063e49716585eL,0x5ec5444d40b9bL,0x72bcf41716811L,
        0x0cdf6310df4f2L } },
    /* 39 */
    { { 0x3c6238ea8b7efL,0x1885bc2287747L,0xbda8e3408e935L,0x2ff2419567722L,
        0x0f0d008bada9eL },
      { 0x2671d2414d3b1L,0x85b019ea76291L,0x53bcbdbb37549L,0x7b8b5c61b96d4L,
        0x05bd5c2f5ca88L } },
    /* 40 */
    { { 0xf469ef49a3154L,0x956e2b2e9aef0L,0xa924a9c3e85a5L,0x471945aaec1eaL,
        0x0aa12dfc8a09eL },
      { 0x272274df69f1dL,0x2ca2ff5e7326fL,0x7a9dd44e0e4c8L,0xa901b9d8ce73bL,
        0x06c036e73e48cL } },
    /* 41 */
    { { 0xae12a0f6e3138L,0x0025ad345a5cfL,0x5672bc56966efL,0xbe248993c64b4L,
        0x0292ff65896afL },
      { 0x50d445e213402L,0x274392c9fed52L,0xa1c72e8f6580eL,0x7276097b397fdL,
        0x0644e0c90311bL } },
    /* 42 */
    { { 0x421e1a47153f0L,0x79920418c9e1eL,0x05d7672b86c3bL,0x9a7793bdce877L,
        0x0f25ae793cab7L },
      { 0x194a36d869d0cL,0x824986c2641f3L,0x96e945e9d55c8L,0x0a3e49fb5ea30L,
        0x039b8e65313dbL } },
    /* 43 */
    { { 0x54200b6fd2e59L,0x669255c98f377L,0xe2a573935e2c0L,0xdb06d9dab21a0L,
        0x039122f2f0f19L },
      { 0xce1e003cad53cL,0x0fe65c17e3cfbL,0xaa13877225b2cL,0xff8d72baf1d29L,
        0x08de80af8ce80L } },
    /* 44 */
    { { 0xea8d9207bbb76L,0x7c21782758afbL,0xc0436b1921c7eL,0x8c04dfa2b74b1L,
        0x0871949062e36L },
      { 0x928bba3993df5L,0xb5f3b3d26ab5fL,0x5b55050639d75L,0xfde1011aa78a8L,
        0x0fc315e6a5b74L } },
    /* 45 */
    { { 0xfd41ae8d6ecfaL,0xf61aec7f86561L,0x924741d5f8c44L,0x908898452a7b4L,
        0x0e6d4a7adee38L },
      { 0x52ed14593c75dL,0xa4dd271162605L,0xba2c7db70a70dL,0xae57d2aede937L,
        0x035dfaf9a9be2L } },
    /* 46 */
    { { 0x56fcdaa736636L,0x97ae2cab7e6b9L,0xf34996609f51dL,0x0d2bfb10bf410L,
        0x01da5c7d71c83L },
      { 0x1e4833cce6825L,0x8ff9573c3b5c4L,0x23036b815ad11L,0xb9d6a28552c7fL,
        0x07077c0fddbf4L } },
    /* 47 */
    { { 0x3ff8d46b9661cL,0x6b0d2cfd71bf6L,0x847f8f7a1dfd3L,0xfe440373e140aL,
        0x053a8632ee50eL },
      { 0x6ff68696d8051L,0x95c74f468a097L,0xe4e26bddaec0cL,0xfcc162994dc35L,
        0x0028ca76d34e1L } },
    /* 48 */
    { { 0xd47dcfc9877eeL,0x10801d0002d11L,0x4c260b6c8b362L,0xf046d002c1175L,
        0x004c17cd86962L },
      { 0xbd094b0daddf5L,0x7524ce55c06d9L,0x2da03b5bea235L,0x7474663356e67L,
        0x0f7ba4de9fed9L } },
    /* 49 */
    { { 0xbfa34ebe1263fL,0x3571ae7ce6d0dL,0x2a6f523557637L,0x1c41d24405538L,
        0x0e31f96005213L },
      { 0xb9216ea6b6ec6L,0x2e73c2fc44d1bL,0x9d0a29437a1d1L,0xd47bc10e7eac8L,
        0x0aa3a6259ce34L } },
    /* 50 */
    { { 0xf9df536f3dcd3L,0x50d2bf7360fbcL,0xf504f5b6cededL,0xdaee491710fadL,
        0x02398dd627e79L },
      { 0x705a36d09569eL,0xbb5149f769cf4L,0x5f6034cea0619L,0x6210ff9c03773L,
        0x05717f5b21c04L } },
    /* 51 */
    { { 0x229c921dd895eL,0x0040c284519feL,0xd637ecd8e5185L,0x28defa13d2391L,
        0x0660a2c560e3cL },
      { 0xa88aed67fcbd0L,0x780ea9f0969ccL,0x2e92b4dc84724L,0x245332b2f4817L,
        0x0624ee54c4f52L } },
    /* 52 */
    { { 0x49ce4d897ecccL,0xd93f9880aa095L,0x43a7c204d49d1L,0xfbc0723c24230L,
        0x04f392afb92bdL },
      { 0x9f8fa7de44fd9L,0xe457b32156696L,0x68ebc3cb66cfbL,0x399cdb2fa8033L,
        0x08a3e7977ccdbL } },
    /* 53 */
    { { 0x1881f06c4b125L,0x00f6e3ca8cddeL,0xc7a13e9ae34e3L,0x4404ef6999de5L,
        0x03888d02370c2L },
      { 0x8035644f91081L,0x615f015504762L,0x32cd36e3d9fcfL,0x23361827edc86L,
        0x0a5e62e471810L } },
    /* 54 */
    { { 0x25ee32facd6c8L,0x5454bcbc661a8L,0x8df9931699c63L,0x5adc0ce3edf79L,
        0x02c4768e6466aL },
      { 0x6ff8c90a64bc9L,0x20e4779f5cb34L,0xc05e884630a60L,0x52a0d949d064bL,
        0x07b5e6441f9e6L } },
    /* 55 */
    { { 0x9422c1d28444aL,0xd8be136a39216L,0xb0c7fcee996c5L,0x744a2387afe5fL,
        0x0b8af73cb0c8dL },
      { 0xe83aa338b86fdL,0x58a58a5cff5fdL,0x0ac9433fee3f1L,0x0895c9ee8f6f2L,
        0x0a036395f7f3fL } },
    /* 56 */
    { { 0x3c6bba10f7770L,0x81a12a0e248c7L,0x1bc2b9fa6f16dL,0xb533100df6825L,
        0x04be36b01875fL },
      { 0x6086e9fb56dbbL,0x8b07e7a4f8922L,0x6d52f20306fefL,0x00c0eeaccc056L,
        0x08cbc9a871bdcL } },
    /* 57 */
    { { 0x1895cc0dac4abL,0x40712ff112e13L,0xa1cee57a874a4L,0x35f86332ae7c6L,
        0x044e7553e0c08L },
      { 0x03fff7734002dL,0x8b0b34425c6d5L,0xe8738b59d35cbL,0xfc1895f702760L,
        0x0470a683a5eb8L } },
    /* 58 */
    { { 0x761dc90513482L,0x2a01e9276a81bL,0xce73083028720L,0xc6efcda441ee0L,
        0x016410690c63dL },
      { 0x34a066d06a2edL,0x45189b100bf50L,0xb8218c9dd4d77L,0xbb4fd914ae72aL,
        0x0d73479fd7abcL } },
    /* 59 */
    { { 0xefb165ad4c6e5L,0x8f5b06d04d7edL,0x575cb14262cf0L,0x666b12ed5bb18L,
        0x0816469e30771L },
      { 0xb9d79561e291eL,0x22c1de1661d7aL,0x35e0513eb9dafL,0x3f9cf49827eb1L,
        0x00a36dd23f0ddL } },
    /* 60 */
    { { 0xd32c741d5533cL,0x9e8684628f098L,0x349bd117c5f5aL,0xb11839a228adeL,
        0x0e331dfd6fdbaL },
      { 0x0ab686bcc6ed8L,0xbdef7a260e510L,0xce850d77160c3L,0x33899063d9a7bL,
        0x0d3b4782a492eL } },
    /* 61 */
    { { 0x9b6e8f3821f90L,0xed66eb7aada14L,0xa01311692edd9L,0xa5bd0bb669531L,
        0x07281275a4c86L },
      { 0x858f7d3ff47e5L,0xbc61016441503L,0xdfd9bb15e1616L,0x505962b0f11a7L,
        0x02c062e7ece14L } },
    /* 62 */
    { { 0xf996f0159ac2eL,0x36cbdb2713a76L,0x8e46047281e77L,0x7ef12ad6d2880L,
        0x0282a35f92c4eL },
      { 0x54b1ec0ce5cd2L,0xc91379c2299c3L,0xe82c11ecf99efL,0x2abd992caf383L,
        0x0c71cd513554dL } },
    /* 63 */
    { { 0x5de9c09b578f4L,0x58e3affa7a488L,0x9182f1f1884e2L,0xf3a38f76b1b75L,
        0x0c50f6740cf47L },
      { 0x4adf3374b68eaL,0x2369965fe2a9cL,0x5a53050a406f3L,0x58dc2f86a2228L,
        0x0b9ecb3a72129L } },
    /* 64 */
    { { 0x8410ef4f8b16aL,0xfec47b266a56fL,0xd9c87c197241aL,0xab1b0a406b8e6L,
        0x0803f3e02cd42L },
      { 0x309a804dbec69L,0xf73bbad05f7f0L,0xd8e197fa83b85L,0xadc1c6097273aL,
        0x0c097440e5067L } },
    /* 65 */
    { { 0xa56f2c379ab34L,0x8b841df8d1846L,0x76c68efa8ee06L,0x1f30203144591L,
        0x0f1af32d5915fL },
      { 0x375315d75bd50L,0xbaf72f67bc99cL,0x8d7723f837cffL,0x1c8b0613a4184L,
        0x023d0f130e2d4L } },
    /* 66 */
    { { 0xab6edf41500d9L,0xe5fcbeada8857L,0x97259510d890aL,0xfadd52fe86488L,
        0x0b0288dd6c0a3L },
      { 0x20f30650bcb08L,0x13695d6e16853L,0x989aa7671af63L,0xc8d231f520a7bL,
        0x0ffd3724ff408L } },
    /* 67 */
    { { 0x68e64b458e6cbL,0x20317a5d28539L,0xaa75f56992dadL,0x26df3814ae0b7L,
        0x0f5590f4ad78cL },
      { 0x24bd3cf0ba55aL,0x4a0c778bae0fcL,0x83b674a0fc472L,0x4a201ce9864f6L,
        0x018d6da54f6f7L } },
    /* 68 */
    { { 0x3e225d5be5a2bL,0x835934f3c6ed9L,0x2626ffc6fe799L,0x216a431409262L,
        0x050bbb4d97990L },
      { 0x191c6e57ec63eL,0x40181dcdb2378L,0x236e0f665422cL,0x49c341a8099b0L,
        0x02b10011801feL } },
    /* 69 */
    { { 0x8b5c59b391593L,0xa2598270fcfc6L,0x19adcbbc385f5L,0xae0c7144f3aadL,
        0x0dd55899983fbL },
      { 0x88b8e74b82ff4L,0x4071e734c993bL,0x3c0322ad2e03cL,0x60419a7a9eaf4L,
        0x0e6e4c551149dL } },
    /* 70 */
    { { 0x655bb1e9af288L,0x64f7ada93155fL,0xb2820e5647e1aL,0x56ff43697e4bcL,
        0x051e00db107edL },
      { 0x169b8771c327eL,0x0b4a96c2ad43dL,0xdeb477929cdb2L,0x9177c07d51f53L,
        0x0e22f42414982L } },
    /* 71 */
    { { 0x5e8f4635f1abbL,0xb568538874cd4L,0x5a8034d7edc0cL,0x48c9c9472c1fbL,
        0x0f709373d52dcL },
      { 0x966bba8af30d6L,0x4af137b69c401L,0x361c47e95bf5fL,0x5b113966162a9L,
        0x0bd52d288e727L } },
    /* 72 */
    { { 0x55c7a9c5fa877L,0x727d3a3d48ab1L,0x3d189d817dad6L,0x77a643f43f9e7L,
        0x0a0d0f8e4c8aaL },
      { 0xeafd8cc94f92dL,0xbe0c4ddb3a0bbL,0x82eba14d818c8L,0x6a0022cc65f8bL,
        0x0a56c78c7946dL } },
    /* 73 */
    { { 0x2391b0dd09529L,0xa63daddfcf296L,0xb5bf481803e0eL,0x367a2c77351f5L,
        0x0d8befdf8731aL },
      { 0x19d42fc0157f4L,0xd7fec8e650ab9L,0x2d48b0af51caeL,0x6478cdf9cb400L,
        0x0854a68a5ce9fL } },
    /* 74 */
    { { 0x5f67b63506ea5L,0x89a4fe0d66dc3L,0xe95cd4d9286c4L,0x6a953f101d3bfL,
        0x05cacea0b9884L },
      { 0xdf60c9ceac44dL,0xf4354d1c3aa90L,0xd5dbabe3db29aL,0xefa908dd3de8aL,
        0x0e4982d1235e4L } },
    /* 75 */
    { { 0x04a22c34cd55eL,0xb32680d132231L,0xfa1d94358695bL,0x0499fb345afa1L,
        0x08046b7f616b2L },
      { 0x3581e38e7d098L,0x8df46f0b70b53L,0x4cb78c4d7f61eL,0xaf5530dea9ea4L,
        0x0eb17ca7b9082L } },
    /* 76 */
    { { 0x1b59876a145b9L,0x0fc1bc71ec175L,0x92715bba5cf6bL,0xe131d3e035653L,
        0x0097b00bafab5L },
      { 0x6c8e9565f69e1L,0x5ab5be5199aa6L,0xa4fd98477e8f7L,0xcc9e6033ba11dL,
        0x0f95c747bafdbL } },
    /* 77 */
    { { 0xf01d3bebae45eL,0xf0c4bc6955558L,0xbc64fc6a8ebe9L,0xd837aeb705b1dL,
        0x03512601e566eL },
      { 0x6f1e1fa1161cdL,0xd54c65ef87933L,0x24f21e5328ab8L,0xab6b4757eee27L,
        0x00ef971236068L } },
    /* 78 */
    { { 0x98cf754ca4226L,0x38f8642c8e025L,0x68e17905eede1L,0xbc9548963f744L,
        0x0fc16d9333b4fL },
      { 0x6fb31e7c800caL,0x312678adaabe9L,0xff3e8b5138063L,0x7a173d6244976L,
        0x014ca4af1b95dL } },
    /* 79 */
    { { 0x771babd2f81d5L,0x6901f7d1967a4L,0xad9c9071a5f9dL,0x231dd898bef7cL,
        0x04057b063f59cL },
      { 0xd82fe89c05c0aL,0x6f1dc0df85bffL,0x35a16dbe4911cL,0x0b133befccaeaL,
        0x01c3b5d64f133L } },
    /* 80 */
    { { 0x14bfe80ec21feL,0x6ac255be825feL,0xf4a5d67f6ce11L,0x63af98bc5a072L,
        0x0fad27148db7eL },
      { 0x0b6ac29ab05b3L,0x3c4e251ae690cL,0x2aade7d37a9a8L,0x1a840a7dc875cL,
        0x077387de39f0eL } },
    /* 81 */
    { { 0xecc49a56c0dd7L,0xd846086c741e9L,0x505aecea5cffcL,0xc47e8f7a1408fL,
        0x0b37b85c0bef0L },
      { 0x6b6e4cc0e6a8fL,0xbf6b388f23359L,0x39cef4efd6d4bL,0x28d5aba453facL,
        0x09c135ac8f9f6L } },
    /* 82 */
    { { 0xa320284e35743L,0xb185a3cdef32aL,0xdf19819320d6aL,0x851fb821b1761L,
        0x05721361fc433L },
      { 0xdb36a71fc9168L,0x735e5c403c1f0L,0x7bcd8f55f98baL,0x11bdf64ca87e3L,
        0x0dcbac3c9e6bbL } },
    /* 83 */
    { { 0xd99684518cbe2L,0x189c9eb04ef01L,0x47feebfd242fcL,0x6862727663c7eL,
        0x0b8c1c89e2d62L },
      { 0x58bddc8e1d569L,0xc8b7d88cd051aL,0x11f31eb563809L,0x22d426c27fd9fL,
        0x05d23bbda2f94L } },
    /* 84 */
    { { 0xc729495c8f8beL,0x803bf362bf0a1L,0xf63d4ac2961c4L,0xe9009e418403dL,
        0x0c109f9cb91ecL },
      { 0x095d058945705L,0x96ddeb85c0c2dL,0xa40449bb9083dL,0x1ee184692b8d7L,
        0x09bc3344f2eeeL } },
    /* 85 */
    { { 0xae35642913074L,0x2748a542b10d5L,0x310732a55491bL,0x4cc1469ca665bL,
        0x029591d525f1aL },
      { 0xf5b6bb84f983fL,0x419f5f84e1e76L,0x0baa189be7eefL,0x332c1200d4968L,
        0x06376551f18efL } },
    /* 86 */
    { { 0x5f14e562976ccL,0xe60ef12c38bdaL,0xcca985222bca3L,0x987abbfa30646L,
        0x0bdb79dc808e2L },
      { 0xcb5c9cb06a772L,0xaafe536dcefd2L,0xc2b5db838f475L,0xc14ac2a3e0227L,
        0x08ee86001add3L } },
    /* 87 */
    { { 0x96981a4ade873L,0x4dc4fba48ccbeL,0xa054ba57ee9aaL,0xaa4b2cee28995L,
        0x092e51d7a6f77L },
      { 0xbafa87190a34dL,0x5bf6bd1ed1948L,0xcaf1144d698f7L,0xaaaad00ee6e30L,
        0x05182f86f0a56L } },
    /* 88 */
    { { 0x6212c7a4cc99cL,0x683e6d9ca1fbaL,0xac98c5aff609bL,0xa6f25dbb27cb5L,
        0x091dcab5d4073L },
      { 0x6cc3d5f575a70L,0x396f8d87fa01bL,0x99817360cb361L,0x4f2b165d4e8c8L,
        0x017a0cedb9797L } },
    /* 89 */
    { { 0x61e2a076c8d3aL,0x39210f924b388L,0x3a835d9701aadL,0xdf4194d0eae41L,
        0x02e8ce36c7f4cL },
      { 0x73dab037a862bL,0xb760e4c8fa912L,0x3baf2dd01ba9bL,0x68f3f96453883L,
        0x0f4ccc6cb34f6L } },
    /* 90 */
    { { 0xf525cf1f79687L,0x9592efa81544eL,0x5c78d297c5954L,0xf3c9e1231741aL,
        0x0ac0db4889a0dL },
      { 0xfc711df01747fL,0x58ef17df1386bL,0xccb6bb5592b93L,0x74a2e5880e4f5L,
        0x095a64a6194c9L } },
    /* 91 */
    { { 0x1efdac15a4c93L,0x738258514172cL,0x6cb0bad40269bL,0x06776a8dfb1c1L,
        0x0231e54ba2921L },
      { 0xdf9178ae6d2dcL,0x3f39112918a70L,0xe5b72234d6aa6L,0x31e1f627726b5L,
        0x0ab0be032d8a7L } },
    /* 92 */
    { { 0xad0e98d131f2dL,0xe33b04f101097L,0x5e9a748637f09L,0xa6791ac86196dL,
        0x0f1bcc8802cf6L },
      { 0x69140e8daacb4L,0x5560f6500925cL,0x77937a63c4e40L,0xb271591cc8fc4L,
        0x0851694695aebL } },
    /* 93 */
    { { 0x5c143f1dcf593L,0x29b018be3bde3L,0xbdd9d3d78202bL,0x55d8e9cdadc29L,
        0x08f67d9d2daadL },
      { 0x116567481ea5fL,0xe9e34c590c841L,0x5053fa8e7d2ddL,0x8b5dffdd43f40L,
        0x0f84572b9c072L } },
    /* 94 */
    { { 0xa7a7197af71c9L,0x447a7365655e1L,0xe1d5063a14494L,0x2c19a1b4ae070L,
        0x0edee2710616bL },
      { 0x034f511734121L,0x554a25e9f0b2fL,0x40c2ecf1cac6eL,0xd7f48dc148f3aL,
        0x09fd27e9b44ebL } },
    /* 95 */
    { { 0x7658af6e2cb16L,0x2cfe5919b63ccL,0x68d5583e3eb7dL,0xf3875a8c58161L,
        0x0a40c2fb6958fL },
      { 0xec560fedcc158L,0xc655f230568c9L,0xa307e127ad804L,0xdecfd93967049L,
        0x099bc9bb87dc6L } },
    /* 96 */
    { { 0x9521d927dafc6L,0x695c09cd1984aL,0x9366dde52c1fbL,0x7e649d9581a0fL,
        0x09abe210ba16dL },
      { 0xaf84a48915220L,0x6a4dd816c6480L,0x681ca5afa7317L,0x44b0c7d539871L,
        0x07881c25787f3L } },
    /* 97 */
    { { 0x99b51e0bcf3ffL,0xc5127f74f6933L,0xd01d9680d02cbL,0x89408fb465a2dL,
        0x015e6e319a30eL },
      { 0xd6e0d3e0e05f4L,0xdc43588404646L,0x4f850d3fad7bdL,0x72cebe61c7d1cL,
        0x00e55facf1911L } },
    /* 98 */
    { { 0xd9806f8787564L,0x2131e85ce67e9L,0x819e8d61a3317L,0x65776b0158cabL,
        0x0d73d09766fe9L },
      { 0x834251eb7206eL,0x0fc618bb42424L,0xe30a520a51929L,0xa50b5dcbb8595L,
        0x09250a3748f15L } },
    /* 99 */
    { { 0xf08f8be577410L,0x035077a8c6cafL,0xc0a63a4fd408aL,0x8c0bf1f63289eL,
        0x077414082c1ccL },
      { 0x40fa6eb0991cdL,0x6649fdc29605aL,0x324fd40c1ca08L,0x20b93a68a3c7bL,
        0x08cb04f4d12ebL } },
    /* 100 */
    { { 0x2d0556906171cL,0xcdb0240c3fb1cL,0x89068419073e9L,0x3b51db8e6b4fdL,
        0x0e4e429ef4712L },
      { 0xdd53c38ec36f4L,0x01ff4b6a270b8L,0x79a9a48f9d2dcL,0x65525d066e078L,
        0x037bca2ff3c6eL } },
    /* 101 */
    { { 0x2e3c7df562470L,0xa2c0964ac94cdL,0x0c793be44f272L,0xb22a7c6d5df98L,
        0x059913edc3002L },
      { 0x39a835750592aL,0x80e783de027a1L,0xa05d64f99e01dL,0xe226cf8c0375eL,
        0x043786e4ab013L } },
    /* 102 */
    { { 0x2b0ed9e56b5a6L,0xa6d9fc68f9ff3L,0x97846a70750d9L,0x9e7aec15e8455L,
        0x08638ca98b7e7L },
      { 0xae0960afc24b2L,0xaf4dace8f22f5L,0xecba78f05398eL,0xa6f03b765dd0aL,
        0x01ecdd36a7b3aL } },
    /* 103 */
    { { 0xacd626c5ff2f3L,0xc02873a9785d3L,0x2110d54a2d516L,0xf32dad94c9fadL,
        0x0d85d0f85d459L },
      { 0x00b8d10b11da3L,0x30a78318c49f7L,0x208decdd2c22cL,0x3c62556988f49L,
        0x0a04f19c3b4edL } },
    /* 104 */
    { { 0x924c8ed7f93bdL,0x5d392f51f6087L,0x21b71afcb64acL,0x50b07cae330a8L,
        0x092b2eeea5c09L },
      { 0xc4c9485b6e235L,0xa92936c0f085aL,0x0508891ab2ca4L,0x276c80faa6b3eL,
        0x01ee782215834L } },
    /* 105 */
    { { 0xa2e00e63e79f7L,0xb2f399d906a60L,0x607c09df590e7L,0xe1509021054a6L,
        0x0f3f2ced857a6L },
      { 0x510f3f10d9b55L,0xacd8642648200L,0x8bd0e7c9d2fcfL,0xe210e5631aa7eL,
        0x00f56a4543da3L } },
    /* 106 */
    { { 0x1bffa1043e0dfL,0xcc9c007e6d5b2L,0x4a8517a6c74b6L,0xe2631a656ec0dL,
        0x0bd8f17411969L },
      { 0xbbb86beb7494aL,0x6f45f3b8388a9L,0x4e5a79a1567d4L,0xfa09df7a12a7aL,
        0x02d1a1c3530ccL } },
    /* 107 */
    { { 0xe3813506508daL,0xc4a1d795a7192L,0xa9944b3336180L,0xba46cddb59497L,
        0x0a107a65eb91fL },
      { 0x1d1c50f94d639L,0x758a58b7d7e6dL,0xd37ca1c8b4af3L,0x9af21a7c5584bL,
        0x0183d760af87aL } },
    /* 108 */
    { { 0x697110dde59a4L,0x070e8bef8729dL,0xf2ebe78f1ad8dL,0xd754229b49634L,
        0x01d44179dc269L },
      { 0xdc0cf8390d30eL,0x530de8110cb32L,0xbc0339a0a3b27L,0xd26231af1dc52L,
        0x0771f9cc29606L } },
    /* 109 */
    { { 0x93e7785040739L,0xb98026a939999L,0x5f8fc2644539dL,0x718ecf40f6f2fL,
        0x064427a310362L },
      { 0xf2d8785428aa8L,0x3febfb49a84f4L,0x23d01ac7b7adcL,0x0d6d201b2c6dfL,
        0x049d9b7496ae9L } },
    /* 110 */
    { { 0x8d8bc435d1099L,0x4e8e8d1a08cc7L,0xcb68a412adbcdL,0x544502c2e2a02L,
        0x09037d81b3f60L },
      { 0xbac27074c7b61L,0xab57bfd72e7cdL,0x96d5352fe2031L,0x639c61ccec965L,
        0x008c3de6a7cc0L } },
    /* 111 */
    { { 0xdd020f6d552abL,0x9805cd81f120fL,0x135129156baffL,0x6b2f06fb7c3e9L,
        0x0c69094424579L },
      { 0x3ae9c41231bd1L,0x875cc5820517bL,0x9d6a1221eac6eL,0x3ac0208837abfL,
        0x03fa3db02cafeL } },
    /* 112 */
    { { 0xa3e6505058880L,0xef643943f2d75L,0xab249257da365L,0x08ff4147861cfL,
        0x0c5c4bdb0fdb8L },
      { 0x13e34b272b56bL,0x9511b9043a735L,0x8844969c8327eL,0xb6b5fd8ce37dfL,
        0x02d56db9446c2L } },
    /* 113 */
    { { 0x1782fff46ac6bL,0x2607a2e425246L,0x9a48de1d19f79L,0xba42fafea3c40L,
        0x00f56bd9de503L },
      { 0xd4ed1345cda49L,0xfc816f299d137L,0xeb43402821158L,0xb5f1e7c6a54aaL,
        0x04003bb9d1173L } },
    /* 114 */
    { { 0xe8189a0803387L,0xf539cbd4043b8L,0x2877f21ece115L,0x2f9e4297208ddL,
        0x053765522a07fL },
      { 0x80a21a8a4182dL,0x7a3219df79a49L,0xa19a2d4a2bbd0L,0x4549674d0a2e1L,
        0x07a056f586c5dL } },
    /* 115 */
    { { 0xb25589d8a2a47L,0x48c3df2773646L,0xbf0d5395b5829L,0x267551ec000eaL,
        0x077d482f17a1aL },
      { 0x1bd9587853948L,0xbd6cfbffeeb8aL,0x0681e47a6f817L,0xb0e4ab6ec0578L,
        0x04115012b2b38L } },
    /* 116 */
    { { 0x3f0f46de28cedL,0x609b13ec473c7L,0xe5c63921d5da7L,0x094661b8ce9e6L,
        0x0cdf04572fbeaL },
      { 0x3c58b6c53c3b0L,0x10447b843c1cbL,0xcb9780e97fe3cL,0x3109fb2b8ae12L,
        0x0ee703dda9738L } },
    /* 117 */
    { { 0x15140ff57e43aL,0xd3b1b811b8345L,0xf42b986d44660L,0xce212b3b5dff8L,
        0x02a0ad89da162L },
      { 0x4a6946bc277baL,0x54c141c27664eL,0xabf6274c788c9L,0x4659141aa64ccL,
        0x0d62d0b67ac2bL } },
    /* 118 */
    { { 0x5d87b2c054ac4L,0x59f27df78839cL,0x18128d6570058L,0x2426edf7cbf3bL,
        0x0b39a23f2991cL },
      { 0x84a15f0b16ae5L,0xb1a136f51b952L,0x27007830c6a05L,0x4cc51d63c137fL,
        0x004ed0092c067L } },
    /* 119 */
    { { 0x185d19ae90393L,0x294a3d64e61f4L,0x854fc143047b4L,0xc387ae0001a69L,
        0x0a0a91fc10177L },
      { 0xa3f01ae2c831eL,0x822b727e16ff0L,0xa3075b4bb76aeL,0x0c418f12c8a15L,
        0x0084cf9889ed2L } },
    /* 120 */
    { { 0x509defca6becfL,0x807dffb328d98L,0x778e8b92fceaeL,0xf77e5d8a15c44L,
        0x0d57955b273abL },
      { 0xda79e31b5d4f1L,0x4b3cfa7a1c210L,0xc27c20baa52f0L,0x41f1d4d12089dL,
        0x08e14ea4202d1L } },
    /* 121 */
    { { 0x50345f2897042L,0x1f43402c4aeedL,0x8bdfb218d0533L,0xd158c8d9c194cL,
        0x0597e1a372aa4L },
      { 0x7ec1acf0bd68cL,0xdcab024945032L,0x9fe3e846d4be0L,0x4dea5b9c8d7acL,
        0x0ca3f0236199bL } },
    /* 122 */
    { { 0xa10b56170bd20L,0xf16d3f5de7592L,0x4b2ade20ea897L,0x07e4a3363ff14L,
        0x0bde7fd7e309cL },
      { 0xbb6d2b8f5432cL,0xcbe043444b516L,0x8f95b5a210dc1L,0xd1983db01e6ffL,
        0x0b623ad0e0a7dL } },
    /* 123 */
    { { 0xbd67560c7b65bL,0x9023a4a289a75L,0x7b26795ab8c55L,0x137bf8220fd0dL,
        0x0d6aa2e4658ecL },
      { 0xbc00b5138bb85L,0x21d833a95c10aL,0x702a32e8c31d1L,0x513ab24ff00b1L,
        0x0111662e02dccL } },
    /* 124 */
    { { 0x14015efb42b87L,0x701b6c4dff781L,0x7d7c129bd9f5dL,0x50f866ecccd7aL,
        0x0db3ee1cb94b7L },
      { 0xf3db0f34837cfL,0x8bb9578d4fb26L,0xc56657de7eed1L,0x6a595d2cdf937L,
        0x0886a64425220L } },
    /* 125 */
    { { 0x34cfb65b569eaL,0x41f72119c13c2L,0x15a619e200111L,0x17bc8badc85daL,
        0x0a70cf4eb018aL },
      { 0xf97ae8c4a6a65L,0x270134378f224L,0xf7e096036e5cfL,0x7b77be3a609e4L,
        0x0aa4772abd174L } },
    /* 126 */
    { { 0x761317aa60cc0L,0x610368115f676L,0xbc1bb5ac79163L,0xf974ded98bb4bL,
        0x0611a6ddc30faL },
      { 0x78cbcc15ee47aL,0x824e0d96a530eL,0xdd9ed882e8962L,0x9c8836f35adf3L,
        0x05cfffaf81642L } },
    /* 127 */
    { { 0x54cff9b7a99cdL,0x9d843c45a1c0dL,0x2c739e17bf3b9L,0x994c038a908f6L,
        0x06e5a6b237dc1L },
      { 0xb454e0ba5db77L,0x7facf60d63ef8L,0x6608378b7b880L,0xabcce591c0c67L,
        0x0481a238d242dL } },
    /* 128 */
    { { 0x17bc035d0b34aL,0x6b8327c0a7e34L,0xc0362d1440b38L,0xf9438fb7262daL,
        0x02c41114ce0cdL },
      { 0x5cef1ad95a0b1L,0xa867d543622baL,0x1e486c9c09b37L,0x929726d6cdd20L,
        0x020477abf42ffL } },
    /* 129 */
    { { 0x5173c18d65dbfL,0x0e339edad82f7L,0xcf1001c77bf94L,0x96b67022d26bdL,
        0x0ac66409ac773L },
      { 0xbb36fc6261cc3L,0xc9190e7e908b0L,0x45e6c10213f7bL,0x2f856541cebaaL,
        0x0ce8e6975cc12L } },
    /* 130 */
    { { 0x21b41bc0a67d2L,0x0a444d248a0f1L,0x59b473762d476L,0xb4a80e044f1d6L,
        0x008fde365250bL },
      { 0xec3da848bf287L,0x82d3369d6eaceL,0x2449482c2a621L,0x6cd73582dfdc9L,
        0x02f7e2fd2565dL } },
    /* 131 */
    { { 0xb92dbc3770fa7L,0x5c379043f9ae4L,0x7761171095e8dL,0x02ae54f34e9d1L,
        0x0c65be92e9077L },
      { 0x8a303f6fd0a40L,0xe3bcce784b275L,0xf9767bfe7d822L,0x3b3a7ae4f5854L,
        0x04bff8e47d119L } },
    /* 132 */
    { { 0x1d21f00ff1480L,0x7d0754db16cd4L,0xbe0f3ea2ab8fbL,0x967dac81d2efbL,
        0x03e4e4ae65772L },
      { 0x8f36d3c5303e6L,0x4b922623977e1L,0x324c3c03bd999L,0x60289ed70e261L,
        0x05388aefd58ecL } },
    /* 133 */
    { { 0x317eb5e5d7713L,0xee75de49daad1L,0x74fb26109b985L,0xbe0e32f5bc4fcL,
        0x05cf908d14f75L },
      { 0x435108e657b12L,0xa5b96ed9e6760L,0x970ccc2bfd421L,0x0ce20e29f51f8L,
        0x0a698ba4060f0L } },
    /* 134 */
    { { 0xb1686ef748fecL,0xa27e9d2cf973dL,0xe265effe6e755L,0xad8d630b6544cL,
        0x0b142ef8a7aebL },
      { 0x1af9f17d5770aL,0x672cb3412fad3L,0xf3359de66af3bL,0x50756bd60d1bdL,
        0x0d1896a965851L } },
    /* 135 */
    { { 0x957ab33c41c08L,0xac5468e2e1ec5L,0xc472f6c87de94L,0xda3918816b73aL,
        0x0267b0e0b7981L },
      { 0x54e5d8e62b988L,0x55116d21e76e5L,0xd2a6f99d8ddc7L,0x93934610faf03L,
        0x0b54e287aa111L } },
    /* 136 */
    { { 0x122b5178a876bL,0xff085104b40a0L,0x4f29f7651ff96L,0xd4e6050b31ab1L,
        0x084abb28b5f87L },
      { 0xd439f8270790aL,0x9d85e3f46bd5eL,0xc1e22122d6cb5L,0x564075f55c1b6L,
        0x0e5436f671765L } },
    /* 137 */
    { { 0x9025e2286e8d5L,0xb4864453be53fL,0x408e3a0353c95L,0xe99ed832f5bdeL,
        0x00404f68b5b9cL },
      { 0x33bdea781e8e5L,0x18163c2f5bcadL,0x119caa33cdf50L,0xc701575769600L,
        0x03a4263df0ac1L } },
    /* 138 */
    { { 0x65ecc9aeb596dL,0xe7023c92b4c29L,0xe01396101ea03L,0xa3674704b4b62L,
        0x00ca8fd3f905eL },
      { 0x23a42551b2b61L,0x9c390fcd06925L,0x392a63e1eb7a8L,0x0c33e7f1d2be0L,
        0x096dca2644ddbL } },
    /* 139 */
    { { 0xbb43a387510afL,0xa8a9a36a01203L,0xf950378846feaL,0x59dcd23a57702L,
        0x04363e2123aadL },
      { 0x3a1c740246a47L,0xd2e55dd24dca4L,0xd8faf96b362b8L,0x98c4f9b086045L,
        0x0840e115cd8bbL } },
    /* 140 */
    { { 0x205e21023e8a7L,0xcdd8dc7a0bf12L,0x63a5ddfc808a8L,0xd6d4e292a2721L,
        0x05e0d6abd30deL },
      { 0x721c27cfc0f64L,0x1d0e55ed8807aL,0xd1f9db242eec0L,0xa25a26a7bef91L,
        0x07dea48f42945L } },
    /* 141 */
    { { 0xf6f1ce5060a81L,0x72f8f95615abdL,0x6ac268be79f9cL,0x16d1cfd36c540L,
        0x0abc2a2beebfdL },
      { 0x66f91d3e2eac7L,0x63d2dd04668acL,0x282d31b6f10baL,0xefc16790e3770L,
        0x04ea353946c7eL } },
    /* 142 */
    { { 0xa2f8d5266309dL,0xc081945a3eed8L,0x78c5dc10a51c6L,0xffc3cecaf45a5L,
        0x03a76e6891c94L },
      { 0xce8a47d7b0d0fL,0x968f584a5f9aaL,0xe697fbe963aceL,0x646451a30c724L,
        0x08212a10a465eL } },
    /* 143 */
    { { 0xc61c3cfab8caaL,0x840e142390ef7L,0xe9733ca18eb8eL,0xb164cd1dff677L,
        0x0aa7cab71599cL },
      { 0xc9273bc837bd1L,0xd0c36af5d702fL,0x423da49c06407L,0x17c317621292fL,
        0x040e38073fe06L } },
    /* 144 */
    { { 0x80824a7bf9b7cL,0x203fbe30d0f4fL,0x7cf9ce3365d23L,0x5526bfbe53209L,
        0x0e3604700b305L },
      { 0xb99116cc6c2c7L,0x08ba4cbee64dcL,0x37ad9ec726837L,0xe15fdcded4346L,
        0x06542d677a3deL } },
    /* 145 */
    { { 0x2b6d07b6c377aL,0x47903448be3f3L,0x0da8af76cb038L,0x6f21d6fdd3a82L,
        0x0a6534aee09bbL },
      { 0x1780d1035facfL,0x339dcb47e630aL,0x447f39335e55aL,0xef226ea50fe1cL,
        0x0f3cb672fdc9aL } },
    /* 146 */
    { { 0x719fe3b55fd83L,0x6c875ddd10eb3L,0x5cea784e0d7a4L,0x70e733ac9fa90L,
        0x07cafaa2eaae8L },
      { 0x14d041d53b338L,0xa0ef87e6c69b8L,0x1672b0fe0acc0L,0x522efb93d1081L,
        0x00aab13c1b9bdL } },
    /* 147 */
    { { 0xce278d2681297L,0xb1b509546addcL,0x661aaf2cb350eL,0x12e92dc431737L,
        0x04b91a6028470L },
      { 0xf109572f8ddcfL,0x1e9a911af4dcfL,0x372430e08ebf6L,0x1cab48f4360acL,
        0x049534c537232L } },
    /* 148 */
    { { 0xf7d71f07b7e9dL,0xa313cd516f83dL,0xc047ee3a478efL,0xc5ee78ef264b6L,
        0x0caf46c4fd65aL },
      { 0xd0c7792aa8266L,0x66913684bba04L,0xe4b16b0edf454L,0x770f56e65168aL,
        0x014ce9e5704c6L } },
    /* 149 */
    { { 0x45e3e965e8f91L,0xbacb0f2492994L,0x0c8a0a0d3aca1L,0x9a71d31cc70f9L,
        0x01bb708a53e4cL },
      { 0xa9e69558bdd7aL,0x08018a26b1d5cL,0xc9cf1ec734a05L,0x0102b093aa714L,
        0x0f9d126f2da30L } },
    /* 150 */
    { { 0xbca7aaff9563eL,0xfeb49914a0749L,0xf5f1671dd077aL,0xcc69e27a0311bL,
        0x0807afcb9729eL },
      { 0xa9337c9b08b77L,0x85443c7e387f8L,0x76fd8ba86c3a7L,0xcd8c85fafa594L,
        0x0751adcd16568L } },
    /* 151 */
    { { 0xa38b410715c0dL,0x718f7697f78aeL,0x3fbf06dd113eaL,0x743f665eab149L,
        0x029ec44682537L },
      { 0x4719cb50bebbcL,0xbfe45054223d9L,0xd2dedb1399ee5L,0x077d90cd5b3a8L,
        0x0ff9370e392a4L } },
    /* 152 */
    { { 0x2d69bc6b75b65L,0xd5266651c559aL,0xde9d7d24188f8L,0xd01a28a9f33e3L,
        0x09776478ba2a9L },
      { 0x2622d929af2c7L,0x6d4e690923885L,0x89a51e9334f5dL,0x82face6cc7e5aL,
        0x074a6313fac2fL } },
    /* 153 */
    { { 0x4dfddb75f079cL,0x9518e36fbbb2fL,0x7cd36dd85b07cL,0x863d1b6cfcf0eL,
        0x0ab75be150ff4L },
      { 0x367c0173fc9b7L,0x20d2594fd081bL,0x4091236b90a74L,0x59f615fdbf03cL,
        0x04ebeac2e0b44L } },
    /* 154 */
    { { 0xc5fe75c9f2c53L,0x118eae9411eb6L,0x95ac5d8d25220L,0xaffcc8887633fL,
        0x0df99887b2c1bL },
      { 0x8eed2850aaecbL,0x1b01d6a272bb7L,0x1cdbcac9d4918L,0x4058978dd511bL,
        0x027b040a7779fL } },
    /* 155 */
    { { 0x05db7f73b2eb2L,0x088e1b2118904L,0x962327ee0df85L,0xa3f5501b71525L,
        0x0b393dd37e4cfL },
      { 0x30e7b3fd75165L,0xc2bcd33554a12L,0xf7b5022d66344L,0x34196c36f1be0L,
        0x009588c12d046L } },
    /* 156 */
    { { 0x6093f02601c3bL,0xf8cf5c335fe08L,0x94aff28fb0252L,0x648b955cf2808L,
        0x081c879a9db9fL },
      { 0xe687cc6f56c51L,0x693f17618c040L,0x059353bfed471L,0x1bc444f88a419L,
        0x0fa0d48f55fc1L } },
    /* 157 */
    { { 0xe1c9de1608e4dL,0x113582822cbc6L,0x57ec2d7010ddaL,0x67d6f6b7ddc11L,
        0x08ea0e156b6a3L },
      { 0x4e02f2383b3b4L,0x943f01f53ca35L,0xde03ca569966bL,0xb5ac4ff6632b2L,
        0x03f5ab924fa00L } },
    /* 158 */
    { { 0xbb0d959739efbL,0xf4e7ebec0d337L,0x11a67d1c751b0L,0x256e2da52dd64L,
        0x08bc768872b74L },
      { 0xe3b7282d3d253L,0xa1f58d779fa5bL,0x16767bba9f679L,0xf34fa1cac168eL,
        0x0b386f19060fcL } },
    /* 159 */
    { { 0x3c1352fedcfc2L,0x6262f8af0d31fL,0x57288c25396bfL,0x9c4d9a02b4eaeL,
        0x04cb460f71b06L },
      { 0x7b4d35b8095eaL,0x596fc07603ae6L,0x614a16592bbf8L,0x5223e1475f66bL,
        0x052c0d50895efL } },
    /* 160 */
    { { 0xc210e15339848L,0xe870778c8d231L,0x956e170e87a28L,0x9c0b9d1de6616L,
        0x04ac3c9382bb0L },
      { 0xe05516998987dL,0xc4ae09f4d619bL,0xa3f933d8b2376L,0x05f41de0b7651L,
        0x0380d94c7e397L } },
    /* 161 */
    { { 0x355aa81542e75L,0xa1ee01b9b701aL,0x24d708796c724L,0x37af6b3a29776L,
        0x02ce3e171de26L },
      { 0xfeb49f5d5bc1aL,0x7e2777e2b5cfeL,0x513756ca65560L,0x4e4d4feaac2f9L,
        0x02e6cd8520b62L } },
    /* 162 */
    { { 0x5954b8c31c31dL,0x005bf21a0c368L,0x5c79ec968533dL,0x9d540bd7626e7L,
        0x0ca17754742c6L },
      { 0xedafff6d2dbb2L,0xbd174a9d18cc6L,0xa4578e8fd0d8cL,0x2ce6875e8793aL,
        0x0a976a7139cabL } },
    /* 163 */
    { { 0x51f1b93fb353dL,0x8b57fcfa720a6L,0x1b15281d75cabL,0x4999aa88cfa73L,
        0x08720a7170a1fL },
      { 0xe8d37693e1b90L,0x0b16f6dfc38c3L,0x52a8742d345dcL,0x893c8ea8d00abL,
        0x09719ef29c769L } },
    /* 164 */
    { { 0xeed8d58e35909L,0xdc33ddc116820L,0xe2050269366d8L,0x04c1d7f999d06L,
        0x0a5072976e157L },
      { 0xa37eac4e70b2eL,0x576890aa8a002L,0x45b2a5c84dcf6L,0x7725cd71bf186L,
        0x099389c9df7b7L } },
    /* 165 */
    { { 0xc08f27ada7a4bL,0x03fd389366238L,0x66f512c3abe9dL,0x82e46b672e897L,
        0x0a88806aa202cL },
      { 0x2044ad380184eL,0xc4126a8b85660L,0xd844f17a8cb78L,0xdcfe79d670c0aL,
        0x00043bffb4738L } },
    /* 166 */
    { { 0x9b5dc36d5192eL,0xd34590b2af8d5L,0x1601781acf885L,0x486683566d0a1L,
        0x052f3ef01ba6cL },
      { 0x6732a0edcb64dL,0x238068379f398L,0x040f3090a482cL,0x7e7516cbe5fa7L,
        0x03296bd899ef2L } },
    /* 167 */
    { { 0xaba89454d81d7L,0xef51eb9b3c476L,0x1c579869eade7L,0x71e9619a21cd8L,
        0x03b90febfaee5L },
      { 0x3023e5496f7cbL,0xd87fb51bc4939L,0x9beb5ce55be41L,0x0b1803f1dd489L,
        0x06e88069d9f81L } },
    /* 168 */
    { { 0x7ab11b43ea1dbL,0xa95259d292ce3L,0xf84f1860a7ff1L,0xad13851b02218L,
        0x0a7222beadefaL },
      { 0xc78ec2b0a9144L,0x51f2fa59c5a2aL,0x147ce385a0240L,0xc69091d1eca56L,
        0x0be94d523bc2aL } },
    /* 169 */
    { { 0x4945e0b226ce7L,0x47967e8b7072fL,0x5a6c63eb8afd7L,0xc766edea46f18L,
        0x07782defe9be8L },
      { 0xd2aa43db38626L,0x8776f67ad1760L,0x4499cdb460ae7L,0x2e4b341b86fc5L,
        0x003838567a289L } },
    /* 170 */
    { { 0xdaefd79ec1a0fL,0xfdceb39c972d8L,0x8f61a953bbcd6L,0xb420f5575ffc5L,
        0x0dbd986c4adf7L },
      { 0xa881415f39eb7L,0xf5b98d976c81aL,0xf2f717d6ee2fcL,0xbbd05465475dcL,
        0x08e24d3c46860L } },
    /* 171 */
    { { 0xd8e549a587390L,0x4f0cbec588749L,0x25983c612bb19L,0xafc846e07da4bL,
        0x0541a99c4407bL },
      { 0x41692624c8842L,0x2ad86c05ffdb2L,0xf7fcf626044c1L,0x35d1c59d14b44L,
        0x0c0092c49f57dL } },
    /* 172 */
    { { 0xc75c3df2e61efL,0xc82e1b35cad3cL,0x09f29f47e8841L,0x944dc62d30d19L,
        0x075e406347286L },
      { 0x41fc5bbc237d0L,0xf0ec4f01c9e7dL,0x82bd534c9537bL,0x858691c51a162L,
        0x05b7cb658c784L } },
    /* 173 */
    { { 0xa70848a28ead1L,0x08fd3b47f6964L,0x67e5b39802dc5L,0x97a19ae4bfd17L,
        0x07ae13eba8df0L },
      { 0x16ef8eadd384eL,0xd9b6b2ff06fd2L,0xbcdb5f30361a2L,0xe3fd204b98784L,
        0x0787d8074e2a8L } },
    /* 174 */
    { { 0x25d6b757fbb1cL,0xb2ca201debc5eL,0xd2233ffe47bddL,0x84844a55e9a36L,
        0x05c2228199ef2L },
      { 0xd4a8588315250L,0x2b827097c1773L,0xef5d33f21b21aL,0xf2b0ab7c4ea1dL,
        0x0e45d37abbaf0L } },
    /* 175 */
    { { 0xf1e3428511c8aL,0xc8bdca6cd3d2dL,0x27c39a7ebb229L,0xb9d3578a71a76L,
        0x0ed7bc12284dfL },
      { 0x2a6df93dea561L,0x8dd48f0ed1cf2L,0xbad23e85443f1L,0x6d27d8b861405L,
        0x0aac97cc945caL } },
    /* 176 */
    { { 0x4ea74a16bd00aL,0xadf5c0bcc1eb5L,0xf9bfc06d839e9L,0xdc4e092bb7f11L,
        0x0318f97b31163L },
      { 0x0c5bec30d7138L,0x23abc30220eccL,0x022360644e8dfL,0xff4d2bb7972fbL,
        0x0fa41faa19a84L } },
    /* 177 */
    { { 0x2d974a6642269L,0xce9bb783bd440L,0x941e60bc81814L,0xe9e2398d38e47L,
        0x038bb6b2c1d26L },
      { 0xe4a256a577f87L,0x53dc11fe1cc64L,0x22807288b52d2L,0x01a5ff336abf6L,
        0x094dd0905ce76L } },
    /* 178 */
    { { 0xcf7dcde93f92aL,0xcb89b5f315156L,0x995e750a01333L,0x2ae902404df9cL,
        0x092077867d25cL },
      { 0x71e010bf39d44L,0x2096bb53d7e24L,0xc9c3d8f5f2c90L,0xeb514c44b7b35L,
        0x081e8428bd29bL } },
    /* 179 */
    { { 0x9c2bac477199fL,0xee6b5ecdd96ddL,0xe40fd0e8cb8eeL,0xa4b18af7db3feL,
        0x01b94ab62dbbfL },
      { 0x0d8b3ce47f143L,0xfc63f4616344fL,0xc59938351e623L,0x90eef18f270fcL,
        0x006a38e280555L } },
    /* 180 */
    { { 0xb0139b3355b49L,0x60b4ebf99b2e5L,0x269f3dc20e265L,0xd4f8c08ffa6bdL,
        0x0a7b36c2083d9L },
      { 0x15c3a1b3e8830L,0xe1a89f9c0b64dL,0x2d16930d5fceaL,0x2a20cfeee4a2eL,
        0x0be54c6b4a282L } },
    /* 181 */
    { { 0xdb3df8d91167cL,0x79e7a6625ed6cL,0x46ac7f4517c3fL,0x22bb7105648f3L,
        0x0bf30a5abeae0L },
      { 0x785be93828a68L,0x327f3ef0368e7L,0x92146b25161c3L,0xd13ae11b5feb5L,
        0x0d1c820de2732L } },
    /* 182 */
    { { 0xe13479038b363L,0x546b05e519043L,0x026cad158c11fL,0x8da34fe57abe6L,
        0x0b7d17bed68a1L },
      { 0xa5891e29c2559L,0x765bfffd8444cL,0x4e469484f7a03L,0xcc64498de4af7L,
        0x03997fd5e6412L } },
    /* 183 */
    { { 0x746828bd61507L,0xd534a64d2af20L,0xa8a15e329e132L,0x13e8ffeddfb08L,
        0x00eeb89293c6cL },
      { 0x69a3ea7e259f8L,0xe6d13e7e67e9bL,0xd1fa685ce1db7L,0xb6ef277318f6aL,
        0x0228916f8c922L } },
    /* 184 */
    { { 0xae25b0a12ab5bL,0x1f957bc136959L,0x16e2b0ccc1117L,0x097e8058429edL,
        0x0ec05ad1d6e93L },
      { 0xba5beac3f3708L,0x3530b59d77157L,0x18234e531baf9L,0x1b3747b552371L,
        0x07d3141567ff1L } },
    /* 185 */
    { { 0x9c05cf6dfefabL,0x68dcb377077bdL,0xa38bb95be2f22L,0xd7a3e53ead973L,
        0x0e9ce66fc9bc1L },
      { 0xa15766f6a02a1L,0xdf60e600ed75aL,0x8cdc1b938c087L,0x0651f8947f346L,
        0x0d9650b017228L } },
    /* 186 */
    { { 0xb4c4a5a057e60L,0xbe8def25e4504L,0x7c1ccbdcbccc3L,0xb7a2a63532081L,
        0x014d6699a804eL },
      { 0xa8415db1f411aL,0x0bf80d769c2c8L,0xc2f77ad09fbafL,0x598ab4deef901L,
        0x06f4c68410d43L } },
    /* 187 */
    { { 0x6df4e96c24a96L,0x85fcbd99a3872L,0xb2ae30a534dbcL,0x9abb3c466ef28L,
        0x04c4350fd6118L },
      { 0x7f716f855b8daL,0x94463c38a1296L,0xae9334341a423L,0x18b5c37e1413eL,
        0x0a726d2425a31L } },
    /* 188 */
    { { 0x6b3ee948c1086L,0x3dcbd3a2e1daeL,0x3d022f3f1de50L,0xf3923f35ed3f0L,
        0x013639e82cc6cL },
      { 0x938fbcdafaa86L,0xfb2654a2589acL,0x5051329f45bc5L,0x35a31963b26e4L,
        0x0ca9365e1c1a3L } },
    /* 189 */
    { { 0x5ac754c3b2d20L,0x17904e241b361L,0xc9d071d742a54L,0x72a5b08521c4cL,
        0x09ce29c34970bL },
      { 0x81f736d3e0ad6L,0x9ef2f8434c8ccL,0xce862d98060daL,0xaf9835ed1d1a6L,
        0x048c4abd7ab42L } },
    /* 190 */
    { { 0x1b0cc40c7485aL,0xbbe5274dbfd22L,0x263d2e8ead455L,0x33cb493c76989L,
        0x078017c32f67bL },
      { 0x35769930cb5eeL,0x940c408ed2b9dL,0x72f1a4dc0d14eL,0x1c04f8b7bf552L,
        0x053cd0454de5cL } },
    /* 191 */
    { { 0x585fa5d28ccacL,0x56005b746ebcdL,0xd0123aa5f823eL,0xfa8f7c79f0a1cL,
        0x0eea465c1d3d7L },
      { 0x0659f0551803bL,0x9f7ce6af70781L,0x9288e706c0b59L,0x91934195a7702L,
        0x01b6e42a47ae6L } },
    /* 192 */
    { { 0x0937cf67d04c3L,0xe289eeb8112e8L,0x2594d601e312bL,0xbd3d56b5d8879L,
        0x00224da14187fL },
      { 0xbb8630c5fe36fL,0x604ef51f5f87aL,0x3b429ec580f3cL,0xff33964fb1bfbL,
        0x060838ef042bfL } },
    /* 193 */
    { { 0xcb2f27e0bbe99L,0xf304aa39ee432L,0xfa939037bda44L,0x16435f497c7a9L,
        0x0636eb2022d33L },
      { 0xd0e6193ae00aaL,0xfe31ae6d2ffcfL,0xf93901c875a00L,0x8bacf43658a29L,
        0x08844eeb63921L } },
    /* 194 */
    { { 0x171d26b3bae58L,0x7117e39f3e114L,0x1a8eada7db3dfL,0x789ecd37bc7f8L,
        0x027ba83dc51fbL },
      { 0xf439ffbf54de5L,0x0bb5fe1a71a7dL,0xb297a48727703L,0xa4ab42ee8e35dL,
        0x0adb62d3487f3L } },
    /* 195 */
    { { 0x168a2a175df2aL,0x4f618c32e99b1L,0x46b0916082aa0L,0xc8b2c9e4f2e71L,
        0x0b990fd7675e7L },
      { 0x9d96b4df37313L,0x79d0b40789082L,0x80877111c2055L,0xd18d66c9ae4a7L,
        0x081707ef94d10L } },
    /* 196 */
    { { 0x7cab203d6ff96L,0xfc0d84336097dL,0x042db4b5b851bL,0xaa5c268823c4dL,
        0x03792daead5a8L },
      { 0x18865941afa0bL,0x4142d83671528L,0xbe4e0a7f3e9e7L,0x01ba17c825275L,
        0x05abd635e94b0L } },
    /* 197 */
    { { 0xfa84e0ac4927cL,0x35a7c8cf23727L,0xadca0dfe38860L,0xb610a4bcd5ea4L,
        0x05995bf21846aL },
      { 0xf860b829dfa33L,0xae958fc18be90L,0x8630366caafe2L,0x411e9b3baf447L,
        0x044c32ca2d483L } },
    /* 198 */
    { { 0xa97f1e40ed80cL,0xb131d2ca82a74L,0xc2d6ad95f938cL,0xa54c53f2124b7L,
        0x01f2162fb8082L },
      { 0x67cc5720b173eL,0x66085f12f97e4L,0xc9d65dc40e8a6L,0x07c98cebc20e4L,
        0x08f1d402bc3e9L } },
    /* 199 */
    { { 0x92f9cfbc4058aL,0xb6292f56704f5L,0xc1d8c57b15e14L,0xdbf9c55cfe37bL,
        0x0b1980f43926eL },
      { 0x33e0932c76b09L,0x9d33b07f7898cL,0x63bb4611df527L,0x8e456f08ead48L,
        0x02828ad9b3744L } },
    /* 200 */
    { { 0x722c4c4cf4ac5L,0x3fdde64afb696L,0x0890832f5ac1aL,0xb3900551baa2eL,
        0x04973f1275a14L },
      { 0xd8335322eac5dL,0xf50bd9b568e59L,0x25883935e07eeL,0x8ac7ab36720faL,
        0x06dac8ed0db16L } },
    /* 201 */
    { { 0x545aeeda835efL,0xd21d10ed51f7bL,0x3741b094aa113L,0xde4c035a65e01L,
        0x04b23ef5920b9L },
      { 0xbb6803c4c7341L,0x6d3f58bc37e82L,0x51e3ee8d45770L,0x9a4e73527863aL,
        0x04dd71534ddf4L } },
    /* 202 */
    { { 0x4467295476cd9L,0x2fe31a725bbf9L,0xc4b67e0648d07L,0x4dbb1441c8b8fL,
        0x0fd3170002f4aL },
      { 0x43ff48995d0e1L,0xd10ef729aa1cbL,0x179898276e695L,0xf365e0d5f9764L,
        0x014fac58c9569L } },
    /* 203 */
    { { 0xa0065f312ae18L,0xc0fcc93fc9ad9L,0xa7d284651958dL,0xda50d9a142408L,
        0x0ed7c765136abL },
      { 0x70f1a25d4abbcL,0xf3f1a113ea462L,0xb51952f9b5dd8L,0x9f53c609b0755L,
        0x0fefcb7f74d2eL } },
    /* 204 */
    { { 0x9497aba119185L,0x30aac45ba4bd0L,0xa521179d54e8cL,0xd80b492479deaL,
        0x01801a57e87e0L },
      { 0xd3f8dfcafffb0L,0x0bae255240073L,0xb5fdfbc6cf33cL,0x1064781d763b5L,
        0x09f8fc11e1eadL } },
    /* 205 */
    { { 0x3a1715e69544cL,0x67f04b7813158L,0x78a4c320eaf85L,0x69a91e22a8fd2L,
        0x0a9d3809d3d3aL },
      { 0xc2c2c59a2da3bL,0xf61895c847936L,0x3d5086938ccbcL,0x8ef75e65244e6L,
        0x03006b9aee117L } },
    /* 206 */
    { { 0x1f2b0c9eead28L,0x5d89f4dfbc0bbL,0x2ce89397eef63L,0xf761074757fdbL,
        0x00ab85fd745f8L },
      { 0xa7c933e5b4549L,0x5c97922f21ecdL,0x43b80404be2bbL,0x42c2261a1274bL,
        0x0b122d67511e9L } },
    /* 207 */
    { { 0x607be66a5ae7aL,0xfa76adcbe33beL,0xeb6e5c501e703L,0xbaecaf9043014L,
        0x09f599dc1097dL },
      { 0x5b7180ff250edL,0x74349a20dc6d7L,0x0b227a38eb915L,0x4b78425605a41L,
        0x07d5528e08a29L } },
    /* 208 */
    { { 0x58f6620c26defL,0xea582b2d1ef0fL,0x1ce3881025585L,0x1730fbe7d79b0L,
        0x028ccea01303fL },
      { 0xabcd179644ba5L,0xe806fff0b8d1dL,0x6b3e17b1fc643L,0x13bfa60a76fc6L,
        0x0c18baf48a1d0L } },
    /* 209 */
    { { 0x638c85dc4216dL,0x67206142ac34eL,0x5f5064a00c010L,0x596bd453a1719L,
        0x09def809db7a9L },
      { 0x8642e67ab8d2cL,0x336237a2b641eL,0x4c4218bb42404L,0x8ce57d506a6d6L,
        0x00357f8b06880L } },
    /* 210 */
    { { 0xdbe644cd2cc88L,0x8df0b8f39d8e9L,0xd30a0c8cc61c2L,0x98874a309874cL,
        0x0e4a01add1b48L },
      { 0x1eeacf57cd8f9L,0x3ebd594c482edL,0xbd2f7871b767dL,0xcc30a7295c717L,
        0x0466d7d79ce10L } },
    /* 211 */
    { { 0x318929dada2c7L,0xc38f9aa27d47dL,0x20a59e14fa0a6L,0xad1a90e4fd288L,
        0x0c672a522451eL },
      { 0x07cc85d86b655L,0x3bf9ad4af1306L,0x71172a6f0235dL,0x751399a086805L,
        0x05e3d64faf2a6L } },
    /* 212 */
    { { 0x410c79b3b4416L,0x85eab26d99aa6L,0xb656a74cd8fcfL,0x42fc5ebff74adL,
        0x06c8a7a95eb8eL },
      { 0x60ba7b02a63bdL,0x038b8f004710cL,0x12d90b06b2f23L,0xca918c6c37383L,
        0x0348ae422ad82L } },
    /* 213 */
    { { 0x746635ccda2fbL,0xa18e0726d27f4L,0x92b1f2022accaL,0x2d2e85adf7824L,
        0x0c1074de0d9efL },
      { 0x3ce44ae9a65b3L,0xac05d7151bfcfL,0xe6a9788fd71e4L,0x4ffcd4711f50cL,
        0x0fbadfbdbc9e5L } },
    /* 214 */
    { { 0x3f1cd20a99363L,0x8f6cf22775171L,0x4d359b2b91565L,0x6fcd968175cd2L,
        0x0b7f976b48371L },
      { 0x8e24d5d6dbf74L,0xfd71c3af36575L,0x243dfe38d23baL,0xc80548f477600L,
        0x0f4d41b2ecafcL } },
    /* 215 */
    { { 0x1cf28fdabd48dL,0x3632c078a451fL,0x17146e9ce81beL,0x0f106ace29741L,
        0x0180824eae016L },
      { 0x7698b66e58358L,0x52ce6ca358038L,0xe41e6c5635687L,0x6d2582380e345L,
        0x067e5f63983cfL } },
    /* 216 */
    { { 0xccb8dcf4899efL,0xf09ebb44c0f89L,0x2598ec9949015L,0x1fc6546f9276bL,
        0x09fef789a04c1L },
      { 0x67ecf53d2a071L,0x7fa4519b096d3L,0x11e2eefb10e1aL,0x4e20ca6b3fb06L,
        0x0bc80c181a99cL } },
    /* 217 */
    { { 0x536f8e5eb82e6L,0xc7f56cb920972L,0x0b5da5e1a484fL,0xdf10c78e21715L,
        0x049270e629f8cL },
      { 0x9b7bbea6b50adL,0xc1a2388ffc1a3L,0x107197b9a0284L,0x2f7f5403eb178L,
        0x0d2ee52f96137L } },
    /* 218 */
    { { 0xcd28588e0362aL,0xa78fa5d94dd37L,0x434a526442fa8L,0xb733aff836e5aL,
        0x0dfb478bee5abL },
      { 0xf1ce7673eede6L,0xd42b5b2f04a91L,0x530da2fa5390aL,0x473a5e66f7bf5L,
        0x0d9a140b408dfL } },
    /* 219 */
    { { 0x221b56e8ea498L,0x293563ee090e0L,0x35d2ade623478L,0x4b1ae06b83913L,
        0x0760c058d623fL },
      { 0x9b58cc198aa79L,0xd2f07aba7f0b8L,0xde2556af74890L,0x04094e204110fL,
        0x07141982d8f19L } },
    /* 220 */
    { { 0xa0e334d4b0f45L,0x38392a94e16f0L,0x3c61d5ed9280bL,0x4e473af324c6bL,
        0x03af9d1ce89d5L },
      { 0xf798120930371L,0x4c21c17097fd8L,0xc42309beda266L,0x7dd60e9545dcdL,
        0x0b1f815c37395L } },
    /* 221 */
    { { 0xaa78e89fec44aL,0x473caa4caf84fL,0x1b6a624c8c2aeL,0xf052691c807dcL,
        0x0a41aed141543L },
      { 0x353997d5ffe04L,0xdf625b6e20424L,0x78177758bacb2L,0x60ef85d660be8L,
        0x0d6e9c1dd86fbL } },
    /* 222 */
    { { 0x2e97ec6853264L,0xb7e2304a0b3aaL,0x8eae9be771533L,0xf8c21b912bb7bL,
        0x09c9c6e10ae9bL },
      { 0x09a59e030b74cL,0x4d6a631e90a23L,0x49b79f24ed749L,0x61b689f44b23aL,
        0x0566bd59640faL } },
    /* 223 */
    { { 0xc0118c18061f3L,0xd37c83fc70066L,0x7273245190b25L,0x345ef05fc8e02L,
        0x0cf2c7390f525L },
      { 0xbceb410eb30cfL,0xba0d77703aa09L,0x50ff255cfd2ebL,0x0979e842c43a1L,
        0x002f517558aa2L } },
    /* 224 */
    { { 0xef794addb7d07L,0x4224455500396L,0x78aa3ce0b4fc7L,0xd97dfaff8eaccL,
        0x014e9ada5e8d4L },
      { 0x480a12f7079e2L,0xcde4b0800edaaL,0x838157d45baa3L,0x9ae801765e2d7L,
        0x0a0ad4fab8e9dL } },
    /* 225 */
    { { 0xb76214a653618L,0x3c31eaaa5f0bfL,0x4949d5e187281L,0xed1e1553e7374L,
        0x0bcd530b86e56L },
      { 0xbe85332e9c47bL,0xfeb50059ab169L,0x92bfbb4dc2776L,0x341dcdba97611L,
        0x0909283cf6979L } },
    /* 226 */
    { { 0x0032476e81a13L,0x996217123967bL,0x32e19d69bee1aL,0x549a08ed361bdL,
        0x035eeb7c9ace1L },
      { 0x0ae5a7e4e5bdcL,0xd3b6ceec6e128L,0xe266bc12dcd2cL,0xe86452e4224c6L,
        0x09a8b2cf4448aL } },
    /* 227 */
    { { 0x71bf209d03b59L,0xa3b65af2abf64L,0xbd5eec9c90e62L,0x1379ff7ff168eL,
        0x06bdb60f4d449L },
      { 0xafebc8a55bc30L,0x1610097fe0dadL,0xc1e3bddc79eadL,0x08a942e197414L,
        0x001ec3cfd94baL } },
    /* 228 */
    { { 0x277ebdc9485c2L,0x7922fb10c7ba6L,0x0a28d8a48cc9aL,0x64f64f61d60f7L,
        0x0d1acb1c04754L },
      { 0x902b126f36612L,0x4ee0618d8bd26L,0x08357ee59c3a4L,0x26c24df8a8133L,
        0x07dcd079d4056L } },
    /* 229 */
    { { 0x7d4d3f05a4b48L,0x52372307725ceL,0x12a915aadcd29L,0x19b8d18f79718L,
        0x00bf53589377dL },
      { 0xcd95a6c68ea73L,0xca823a584d35eL,0x473a723c7f3bbL,0x86fc9fb674c6fL,
        0x0d28be4d9e166L } },
    /* 230 */
    { { 0xb990638fa8e4bL,0x6e893fd8fc5d2L,0x36fb6fc559f18L,0x88ce3a6de2aa4L,
        0x0d76007aa510fL },
      { 0x0aab6523a4988L,0x4474dd02732d1L,0x3407278b455cfL,0xbb017f467082aL,
        0x0f2b52f68b303L } },
    /* 231 */
    { { 0x7eafa9835b4caL,0xfcbb669cbc0d5L,0x66431982d2232L,0xed3a8eeeb680cL,
        0x0d8dbe98ecc5aL },
      { 0x9be3fc5a02709L,0xe5f5ba1fa8cbaL,0x10ea85230be68L,0x9705febd43cdfL,
        0x0e01593a3ee55L } },
    /* 232 */
    { { 0x5af50ea75a0a6L,0xac57858033d3eL,0x0176406512226L,0xef066fe6d50fdL,
        0x0afec07b1aeb8L },
      { 0x9956780bb0a31L,0xcc37309aae7fbL,0x1abf3896f1af3L,0xbfdd9153a15a0L,
        0x0a71b93546e2dL } },
    /* 233 */
    { { 0xe12e018f593d2L,0x28a078122bbf8L,0xba4f2add1a904L,0x23d9150505db0L,
        0x053a2005c6285L },
      { 0x8b639e7f2b935L,0x5ac182961a07cL,0x518ca2c2bff97L,0x8e3d86bceea77L,
        0x0bf47d19b3d58L } },
    /* 234 */
    { { 0x967a7dd7665d5L,0x572f2f4de5672L,0x0d4903f4e3030L,0xa1b6144005ae8L,
        0x0001c2c7f39c9L },
      { 0xa801469efc6d6L,0xaa7bc7a724143L,0x78150a4c810bdL,0xb99b5f65670baL,
        0x0fdadf8e786ffL } },
    /* 235 */
    { { 0x8cb88ffc00785L,0x913b48eb67fd3L,0xf368fbc77fa75L,0x3c940454d055bL,
        0x03a838e4d5aa4L },
      { 0x663293e97bb9aL,0x63441d94d9561L,0xadb2a839eb933L,0x1da3515591a60L,
        0x03cdb8257873eL } },
    /* 236 */
    { { 0x140a97de77eabL,0x0d41648109137L,0xeb1d0dff7e1c5L,0x7fba762dcad2cL,
        0x05a60cc89f1f5L },
      { 0x3638240d45673L,0x195913c65580bL,0xd64b7411b82beL,0x8fc0057284b8dL,
        0x0922ff56fdbfdL } },
    /* 237 */
    { { 0x65deec9a129a1L,0x57cc284e041b2L,0xebfbe3ca5b1ceL,0xcd6204380c46cL,
        0x072919a7df6c5L },
      { 0xf453a8fb90f9aL,0x0b88e4031b298L,0x96f1856d719c0L,0x089ae32c0e777L,
        0x05e7917803624L } },
    /* 238 */
    { { 0x6ec557f63cdfbL,0x71f1cae4fd5c1L,0x60597ca8e6a35L,0x2fabfce26bea5L,
        0x04e0a5371e24cL },
      { 0xa40d3a5765357L,0x440d73a2b4276L,0x1d11a323c89afL,0x04eeb8f370ae4L,
        0x0f5ff7818d566L } },
    /* 239 */
    { { 0x3e3fe1a09df21L,0x8ee66e8e47fbfL,0x9c8901526d5d2L,0x5e642096bd0a2L,
        0x0e41df0e9533fL },
      { 0xfda40b3ba9e3fL,0xeb2604d895305L,0xf0367c7f2340cL,0x155f0866e1927L,
        0x08edd7d6eac4fL } },
    /* 240 */
    { { 0x1dc0e0bfc8ff3L,0x2be936f42fc9aL,0xca381ef14efd8L,0xee9667016f7ccL,
        0x01432c1caed8aL },
      { 0x8482970b23c26L,0x730735b273ec6L,0xaef0f5aa64fe8L,0xd2c6e389f6e5eL,
        0x0caef480b5ac8L } },
    /* 241 */
    { { 0x5c97875315922L,0x713063cca5524L,0x64ef2cbd82951L,0xe236f3ce60d0bL,
        0x0d0ba177e8efaL },
      { 0x9ae8fb1b3af60L,0xe53d2da20e53aL,0xf9eef281a796aL,0xae1601d63605dL,
        0x0f31c957c1c54L } },
    /* 242 */
    { { 0x58d5249cc4597L,0xb0bae0a028c0fL,0x34a814adc5015L,0x7c3aefc5fc557L,
        0x0013404cb96e1L },
      { 0xe2585c9a824bfL,0x5e001eaed7b29L,0x1ef68acd59318L,0x3e6c8d6ee6826L,
        0x06f377c4b9193L } },
    /* 243 */
    { { 0x3bad1a8333fd2L,0x025a2a95b89f9L,0xaf75acea89302L,0x9506211e5037eL,
        0x06dba3e4ed2d0L },
      { 0xef98cd04399cdL,0x6ee6b73adea48L,0x17ecaf31811c6L,0xf4a772f60752cL,
        0x0f13cf3423becL } },
    /* 244 */
    { { 0xb9ec0a919e2ebL,0x95f62c0f68ceeL,0xaba229983a9a1L,0xbad3cfba3bb67L,
        0x0c83fa9a9274bL },
      { 0xd1b0b62fa1ce0L,0xf53418efbf0d7L,0x2706f04e58b60L,0x2683bfa8ef9e5L,
        0x0b49d70f45d70L } },
    /* 245 */
    { { 0xc7510fad5513bL,0xecb1751e2d914L,0x9fb9d5905f32eL,0xf1cf6d850418dL,
        0x059cfadbb0c30L },
      { 0x7ac2355cb7fd6L,0xb8820426a3e16L,0x0a78864249367L,0x4b67eaeec58c9L,
        0x05babf362354aL } },
    /* 246 */
    { { 0x981d1ee424865L,0x78f2e5577f37cL,0x9e0c0588b0028L,0xc8f0702970f1bL,
        0x06188c6a79026L },
      { 0x9a19bd0f244daL,0x5cfb08087306fL,0xf2136371eccedL,0xb9d935470f9b9L,
        0x0993fe475df50L } },
    /* 247 */
    { { 0x31cdf9b2c3609L,0xc02c46d4ea68eL,0xa77510184eb19L,0x616b7ac9ec1a9L,
        0x081f764664c80L },
      { 0xc2a5a75fbe978L,0xd3f183b3561d7L,0x01dd2bf6743feL,0x060d838d1f045L,
        0x0564a812a5fe9L } },
    /* 248 */
    { { 0xa64f4fa817d1dL,0x44bea82e0f7a5L,0xd57f9aa55f968L,0x1d6cb5ff5a0fcL,
        0x0226bf3cf00e5L },
      { 0x1a9f92f2833cfL,0x5a4f4f89a8d6dL,0xf3f7f7720a0a3L,0x783611536c498L,
        0x068779f47ff25L } },
    /* 249 */
    { { 0x0c1c173043d08L,0x741fc020fa79bL,0xa6d26d0a54467L,0x2e0bd3767e289L,
        0x097bcb0d1eb09L },
      { 0x6eaa8f32ed3c3L,0x51b281bc482abL,0xfa178f3c8a4f1L,0x46554d1bf4f3bL,
        0x0a872ffe80a78L } },
    /* 250 */
    { { 0xb7935a32b2086L,0x0e8160f486b1aL,0xb6ae6bee1eb71L,0xa36a9bd0cd913L,
        0x002812bfcb732L },
      { 0xfd7cacf605318L,0x50fdfd6d1da63L,0x102d619646e5dL,0x96afa1d683982L,
        0x007391cc9fe53L } },
    /* 251 */
    { { 0x157f08b80d02bL,0xd162877f7fc50L,0x8d542ae6b8333L,0x2a087aca1af87L,
        0x0355d2adc7e6dL },
      { 0xf335a287386e1L,0x94f8e43275b41L,0x79989eafd272aL,0x3a79286ca2cdeL,
        0x03dc2b1e37c2aL } },
    /* 252 */
    { { 0x9d21c04581352L,0x25376782bed68L,0xfed701f0a00c8L,0x846b203bd5909L,
        0x0c47869103ccdL },
      { 0xa770824c768edL,0x026841f6575dbL,0xaccce0e72feeaL,0x4d3273313ed56L,
        0x0ccc42968d5bbL } },
    /* 253 */
    { { 0x50de13d7620b9L,0x8a5992a56a94eL,0x75487c9d89a5cL,0x71cfdc0076406L,
        0x0e147eb42aa48L },
      { 0xab4eeacf3ae46L,0xfb50350fbe274L,0x8c840eafd4936L,0x96e3df2afe474L,
        0x0239ac047080eL } },
    /* 254 */
    { { 0xd1f352bfee8d4L,0xcffa7b0fec481L,0xce9af3cce80b5L,0xe59d105c4c9e2L,
        0x0c55fa1a3f5f7L },
      { 0x6f14e8257c227L,0x3f342be00b318L,0xa904fb2c5b165L,0xb69909afc998aL,
        0x0094cd99cd4f4L } },
    /* 255 */
    { { 0x81c84d703bebaL,0x5032ceb2918a9L,0x3bd49ec8631d1L,0xad33a445f2c9eL,
        0x0b90a30b642abL },
      { 0x5404fb4a5abf9L,0xc375db7603b46L,0xa35d89f004750L,0x24f76f9a42cccL,
        0x0019f8b9a1b79L } },
};

/* Multiply the base point of P256 by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * Stripe implementation.
 * Pre-generated: 2^0, 2^32, ...
 * Pre-generated: products of all combinations of above.
 * 8 doubles and adds (with qz=1)
 *
 * r     Resulting point.
 * k     Scalar to multiply by.
 * map   Indicates whether to convert result to affine.
 * ct    Constant time required.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_256_ecc_mulmod_base_5(sp_point_256* r, const sp_digit* k,
        int map, int ct, void* heap)
{
    return sp_256_ecc_mulmod_stripe_5(r, &p256_base, p256_table,
                                      k, map, ct, heap);
}

#endif

/* Multiply the base point of P256 by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * km    Scalar to multiply by.
 * r     Resulting point.
 * map   Indicates whether to convert result to affine.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_mulmod_base_256(const mp_int* km, ecc_point* r, int map, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_256* point = NULL;
    sp_digit* k = NULL;
#else
    sp_point_256  point[1];
    sp_digit k[5];
#endif
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    point = (sp_point_256*)XMALLOC(sizeof(sp_point_256), heap,
                                         DYNAMIC_TYPE_ECC);
    if (point == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 5, heap,
                               DYNAMIC_TYPE_ECC);
        if (k == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        sp_256_from_mp(k, 5, km);

            err = sp_256_ecc_mulmod_base_5(point, k, map, 1, heap);
    }
    if (err == MP_OKAY) {
        err = sp_256_point_to_ecc_point_5(point, r);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (k != NULL)
        XFREE(k, heap, DYNAMIC_TYPE_ECC);
    if (point != NULL)
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

/* Multiply the base point of P256 by the scalar, add point a and return
 * the result. If map is true then convert result to affine coordinates.
 *
 * km      Scalar to multiply by.
 * am      Point to add to scalar multiply result.
 * inMont  Point to add is in montgomery form.
 * r       Resulting point.
 * map     Indicates whether to convert result to affine.
 * heap    Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_mulmod_base_add_256(const mp_int* km, const ecc_point* am,
        int inMont, ecc_point* r, int map, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_256* point = NULL;
    sp_digit* k = NULL;
#else
    sp_point_256 point[2];
    sp_digit k[5 + 5 * 2 * 6];
#endif
    sp_point_256* addP = NULL;
    sp_digit* tmp = NULL;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    point = (sp_point_256*)XMALLOC(sizeof(sp_point_256) * 2, heap,
                                         DYNAMIC_TYPE_ECC);
    if (point == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        k = (sp_digit*)XMALLOC(
            sizeof(sp_digit) * (5 + 5 * 2 * 6),
            heap, DYNAMIC_TYPE_ECC);
        if (k == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        addP = point + 1;
        tmp = k + 5;

        sp_256_from_mp(k, 5, km);
        sp_256_point_from_ecc_point_5(addP, am);
    }
    if ((err == MP_OKAY) && (!inMont)) {
        err = sp_256_mod_mul_norm_5(addP->x, addP->x, p256_mod);
    }
    if ((err == MP_OKAY) && (!inMont)) {
        err = sp_256_mod_mul_norm_5(addP->y, addP->y, p256_mod);
    }
    if ((err == MP_OKAY) && (!inMont)) {
        err = sp_256_mod_mul_norm_5(addP->z, addP->z, p256_mod);
    }
    if (err == MP_OKAY) {
            err = sp_256_ecc_mulmod_base_5(point, k, 0, 0, heap);
    }
    if (err == MP_OKAY) {
            sp_256_proj_point_add_5(point, point, addP, tmp);

        if (map) {
                sp_256_map_5(point, point, tmp);
        }

        err = sp_256_point_to_ecc_point_5(point, r);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (k != NULL)
        XFREE(k, heap, DYNAMIC_TYPE_ECC);
    if (point)
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
                                                        defined(HAVE_ECC_VERIFY)
#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN | HAVE_ECC_SIGN | HAVE_ECC_VERIFY */
/* Add 1 to a. (a = a + 1)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_256_add_one_5(sp_digit* a)
{
    a[0]++;
    sp_256_norm_5(a);
}

/* Read big endian unsigned byte array into r.
 *
 * r  A single precision integer.
 * size  Maximum number of bytes to convert
 * a  Byte array.
 * n  Number of bytes in array to read.
 */
static void sp_256_from_bin(sp_digit* r, int size, const byte* a, int n)
{
    int i;
    int j = 0;
    word32 s = 0;

    r[0] = 0;
    for (i = n-1; i >= 0; i--) {
        r[j] |= (((sp_digit)a[i]) << s);
        if (s >= 44U) {
            r[j] &= 0xfffffffffffffL;
            s = 52U - s;
            if (j + 1 >= size) {
                break;
            }
            r[++j] = (sp_digit)a[i] >> s;
            s = 8U - s;
        }
        else {
            s += 8U;
        }
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
}

/* Generates a scalar that is in the range 1..order-1.
 *
 * rng  Random number generator.
 * k    Scalar value.
 * returns RNG failures, MEMORY_E when memory allocation fails and
 * MP_OKAY on success.
 */
static int sp_256_ecc_gen_k_5(WC_RNG* rng, sp_digit* k)
{
    int err;
    byte buf[32];

    do {
        err = wc_RNG_GenerateBlock(rng, buf, sizeof(buf));
        if (err == 0) {
            sp_256_from_bin(k, 5, buf, (int)sizeof(buf));
            if (sp_256_cmp_5(k, p256_order2) <= 0) {
                sp_256_add_one_5(k);
                break;
            }
        }
    }
    while (err == 0);

    return err;
}

/* Makes a random EC key pair.
 *
 * rng   Random number generator.
 * priv  Generated private value.
 * pub   Generated public point.
 * heap  Heap to use for allocation.
 * returns ECC_INF_E when the point does not have the correct order, RNG
 * failures, MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_make_key_256(WC_RNG* rng, mp_int* priv, ecc_point* pub, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_256* point = NULL;
    sp_digit* k = NULL;
#else
    #ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
    sp_point_256 point[2];
    #else
    sp_point_256 point[1];
    #endif
    sp_digit k[5];
#endif
#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
    sp_point_256* infinity = NULL;
#endif
    int err = MP_OKAY;


    (void)heap;

#ifdef WOLFSSL_SP_SMALL_STACK
    #ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
    point = (sp_point_256*)XMALLOC(sizeof(sp_point_256) * 2, heap, DYNAMIC_TYPE_ECC);
    #else
    point = (sp_point_256*)XMALLOC(sizeof(sp_point_256), heap, DYNAMIC_TYPE_ECC);
    #endif
    if (point == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 5, heap,
                               DYNAMIC_TYPE_ECC);
        if (k == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
    #ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
        infinity = point + 1;
    #endif

        err = sp_256_ecc_gen_k_5(rng, k);
    }
    if (err == MP_OKAY) {
            err = sp_256_ecc_mulmod_base_5(point, k, 1, 1, NULL);
    }

#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
    if (err == MP_OKAY) {
            err = sp_256_ecc_mulmod_5(infinity, point, p256_order, 1, 1, NULL);
    }
    if (err == MP_OKAY) {
        if (sp_256_iszero_5(point->x) || sp_256_iszero_5(point->y)) {
            err = ECC_INF_E;
        }
    }
#endif

    if (err == MP_OKAY) {
        err = sp_256_to_mp(k, priv);
    }
    if (err == MP_OKAY) {
        err = sp_256_point_to_ecc_point_5(point, pub);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (k != NULL)
        XFREE(k, heap, DYNAMIC_TYPE_ECC);
    if (point != NULL) {
        /* point is not sensitive, so no need to zeroize */
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
    }
#endif

    return err;
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_ecc_key_gen_256_ctx {
    int state;
    sp_256_ecc_mulmod_5_ctx mulmod_ctx;
    sp_digit k[5];
#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
    sp_point_256  point[2];
#else
    sp_point_256 point[1];
#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN */
} sp_ecc_key_gen_256_ctx;

int sp_ecc_make_key_256_nb(sp_ecc_ctx_t* sp_ctx, WC_RNG* rng, mp_int* priv,
    ecc_point* pub, void* heap)
{
    int err = FP_WOULDBLOCK;
    sp_ecc_key_gen_256_ctx* ctx = (sp_ecc_key_gen_256_ctx*)sp_ctx->data;
#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
    sp_point_256* infinity = ctx->point + 1;
#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN */

    typedef char ctx_size_test[sizeof(sp_ecc_key_gen_256_ctx)
                               >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    switch (ctx->state) {
        case 0:
            err = sp_256_ecc_gen_k_5(rng, ctx->k);
            if (err == MP_OKAY) {
                err = FP_WOULDBLOCK;
                ctx->state = 1;
            }
            break;
        case 1:
            err = sp_256_ecc_mulmod_base_5_nb((sp_ecc_ctx_t*)&ctx->mulmod_ctx,
                      ctx->point, ctx->k, 1, 1, heap);
            if (err == MP_OKAY) {
                err = FP_WOULDBLOCK;
            #ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
                XMEMSET(&ctx->mulmod_ctx, 0, sizeof(ctx->mulmod_ctx));
                ctx->state = 2;
            #else
                ctx->state = 3;
            #endif
            }
            break;
    #ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
        case 2:
            err = sp_256_ecc_mulmod_5_nb((sp_ecc_ctx_t*)&ctx->mulmod_ctx,
                      infinity, ctx->point, p256_order, 1, 1);
            if (err == MP_OKAY) {
                if (sp_256_iszero_5(ctx->point->x) ||
                    sp_256_iszero_5(ctx->point->y)) {
                    err = ECC_INF_E;
                }
                else {
                    err = FP_WOULDBLOCK;
                    ctx->state = 3;
                }
            }
            break;
    #endif /* WOLFSSL_VALIDATE_ECC_KEYGEN */
        case 3:
            err = sp_256_to_mp(ctx->k, priv);
            if (err == MP_OKAY) {
                err = sp_256_point_to_ecc_point_5(ctx->point, pub);
            }
            break;
    }

    if (err != FP_WOULDBLOCK) {
        XMEMSET(ctx, 0, sizeof(sp_ecc_key_gen_256_ctx));
    }

    return err;
}
#endif /* WOLFSSL_SP_NONBLOCK */

#ifdef HAVE_ECC_DHE
/* Write r as big endian to byte array.
 * Fixed length number of bytes written: 32
 *
 * r  A single precision integer.
 * a  Byte array.
 */
static void sp_256_to_bin_5(sp_digit* r, byte* a)
{
    int i;
    int j;
    int s = 0;
    int b;

    for (i=0; i<4; i++) {
        r[i+1] += r[i] >> 52;
        r[i] &= 0xfffffffffffffL;
    }
    j = 263 / 8 - 1;
    a[j] = 0;
    for (i=0; i<5 && j>=0; i++) {
        b = 0;
        /* lint allow cast of mismatch sp_digit and int */
        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
        b += 8 - s;
        if (j < 0) {
            break;
        }
        while (b < 52) {
            a[j--] = (byte)(r[i] >> b);
            b += 8;
            if (j < 0) {
                break;
            }
        }
        s = 8 - (b - 52);
        if (j >= 0) {
            a[j] = 0;
        }
        if (s != 0) {
            j++;
        }
    }
}

/* Multiply the point by the scalar and serialize the X ordinate.
 * The number is 0 padded to maximum size on output.
 *
 * priv    Scalar to multiply the point by.
 * pub     Point to multiply.
 * out     Buffer to hold X ordinate.
 * outLen  On entry, size of the buffer in bytes.
 *         On exit, length of data in buffer in bytes.
 * heap    Heap to use for allocation.
 * returns BUFFER_E if the buffer is to small for output size,
 * MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_secret_gen_256(const mp_int* priv, const ecc_point* pub, byte* out,
                          word32* outLen, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_256* point = NULL;
    sp_digit* k = NULL;
#else
    sp_point_256 point[1];
    sp_digit k[5];
#endif
    int err = MP_OKAY;

    if (*outLen < 32U) {
        err = BUFFER_E;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        point = (sp_point_256*)XMALLOC(sizeof(sp_point_256), heap,
                                         DYNAMIC_TYPE_ECC);
        if (point == NULL)
            err = MEMORY_E;
    }
    if (err == MP_OKAY) {
        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 5, heap,
                               DYNAMIC_TYPE_ECC);
        if (k == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        sp_256_from_mp(k, 5, priv);
        sp_256_point_from_ecc_point_5(point, pub);
            err = sp_256_ecc_mulmod_5(point, point, k, 1, 1, heap);
    }
    if (err == MP_OKAY) {
        sp_256_to_bin_5(point->x, out);
        *outLen = 32;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (k != NULL)
        XFREE(k, heap, DYNAMIC_TYPE_ECC);
    if (point != NULL)
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_ecc_sec_gen_256_ctx {
    int state;
    union {
        sp_256_ecc_mulmod_5_ctx mulmod_ctx;
    };
    sp_digit k[5];
    sp_point_256 point;
} sp_ecc_sec_gen_256_ctx;

int sp_ecc_secret_gen_256_nb(sp_ecc_ctx_t* sp_ctx, const mp_int* priv,
    const ecc_point* pub, byte* out, word32* outLen, void* heap)
{
    int err = FP_WOULDBLOCK;
    sp_ecc_sec_gen_256_ctx* ctx = (sp_ecc_sec_gen_256_ctx*)sp_ctx->data;

    typedef char ctx_size_test[sizeof(sp_ecc_sec_gen_256_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    if (*outLen < 32U) {
        err = BUFFER_E;
    }

    switch (ctx->state) {
        case 0:
            sp_256_from_mp(ctx->k, 5, priv);
            sp_256_point_from_ecc_point_5(&ctx->point, pub);
            ctx->state = 1;
            break;
        case 1:
            err = sp_256_ecc_mulmod_5_nb((sp_ecc_ctx_t*)&ctx->mulmod_ctx,
                      &ctx->point, &ctx->point, ctx->k, 1, 1, heap);
            if (err == MP_OKAY) {
                sp_256_to_bin_5(ctx->point.x, out);
                *outLen = 32;
            }
            break;
    }

    if (err == MP_OKAY && ctx->state != 1) {
        err = FP_WOULDBLOCK;
    }
    if (err != FP_WOULDBLOCK) {
        XMEMSET(ctx, 0, sizeof(sp_ecc_sec_gen_256_ctx));
    }

    return err;
}
#endif /* WOLFSSL_SP_NONBLOCK */
#endif /* HAVE_ECC_DHE */

#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
#endif
#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
SP_NOINLINE static void sp_256_rshift_5(sp_digit* r, const sp_digit* a,
        byte n)
{
    int i;

#ifdef WOLFSSL_SP_SMALL
    for (i=0; i<4; i++) {
        r[i] = ((a[i] >> n) | (a[i + 1] << (52 - n))) & 0xfffffffffffffL;
    }
#else
    for (i=0; i<0; i += 8) {
        r[i+0] = (a[i+0] >> n) | ((a[i+1] << (52 - n)) & 0xfffffffffffffL);
        r[i+1] = (a[i+1] >> n) | ((a[i+2] << (52 - n)) & 0xfffffffffffffL);
        r[i+2] = (a[i+2] >> n) | ((a[i+3] << (52 - n)) & 0xfffffffffffffL);
        r[i+3] = (a[i+3] >> n) | ((a[i+4] << (52 - n)) & 0xfffffffffffffL);
        r[i+4] = (a[i+4] >> n) | ((a[i+5] << (52 - n)) & 0xfffffffffffffL);
        r[i+5] = (a[i+5] >> n) | ((a[i+6] << (52 - n)) & 0xfffffffffffffL);
        r[i+6] = (a[i+6] >> n) | ((a[i+7] << (52 - n)) & 0xfffffffffffffL);
        r[i+7] = (a[i+7] >> n) | ((a[i+8] << (52 - n)) & 0xfffffffffffffL);
    }
    r[0] = (a[0] >> n) | ((a[1] << (52 - n)) & 0xfffffffffffffL);
    r[1] = (a[1] >> n) | ((a[2] << (52 - n)) & 0xfffffffffffffL);
    r[2] = (a[2] >> n) | ((a[3] << (52 - n)) & 0xfffffffffffffL);
    r[3] = (a[3] >> n) | ((a[4] << (52 - n)) & 0xfffffffffffffL);
#endif /* WOLFSSL_SP_SMALL */
    r[4] = a[4] >> n;
}

/* Multiply a by scalar b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_256_mul_d_5(sp_digit* r, const sp_digit* a,
    sp_digit b)
{
#ifdef WOLFSSL_SP_SMALL
    sp_int128 tb = b;
    sp_int128 t = 0;
    int i;

    for (i = 0; i < 5; i++) {
        t += tb * a[i];
        r[i] = (sp_digit)(t & 0xfffffffffffffL);
        t >>= 52;
    }
    r[5] = (sp_digit)t;
#else
    sp_int128 tb = b;
    sp_int128 t[5];

    t[ 0] = tb * a[ 0];
    t[ 1] = tb * a[ 1];
    t[ 2] = tb * a[ 2];
    t[ 3] = tb * a[ 3];
    t[ 4] = tb * a[ 4];
    r[ 0] = (sp_digit)                 (t[ 0] & 0xfffffffffffffL);
    r[ 1] = (sp_digit)((t[ 0] >> 52) + (t[ 1] & 0xfffffffffffffL));
    r[ 2] = (sp_digit)((t[ 1] >> 52) + (t[ 2] & 0xfffffffffffffL));
    r[ 3] = (sp_digit)((t[ 2] >> 52) + (t[ 3] & 0xfffffffffffffL));
    r[ 4] = (sp_digit)((t[ 3] >> 52) + (t[ 4] & 0xfffffffffffffL));
    r[ 5] = (sp_digit) (t[ 4] >> 52);
#endif /* WOLFSSL_SP_SMALL */
}

SP_NOINLINE static void sp_256_lshift_10(sp_digit* r, const sp_digit* a,
        byte n)
{
#ifdef WOLFSSL_SP_SMALL
    int i;

    r[10] = a[9] >> (52 - n);
    for (i=9; i>0; i--) {
        r[i] = ((a[i] << n) | (a[i-1] >> (52 - n))) & 0xfffffffffffffL;
    }
#else
    sp_int_digit s;
    sp_int_digit t;

    s = (sp_int_digit)a[9];
    r[10] = s >> (52U - n);
    s = (sp_int_digit)(a[9]); t = (sp_int_digit)(a[8]);
    r[9] = ((s << n) | (t >> (52U - n))) & 0xfffffffffffffUL;
    s = (sp_int_digit)(a[8]); t = (sp_int_digit)(a[7]);
    r[8] = ((s << n) | (t >> (52U - n))) & 0xfffffffffffffUL;
    s = (sp_int_digit)(a[7]); t = (sp_int_digit)(a[6]);
    r[7] = ((s << n) | (t >> (52U - n))) & 0xfffffffffffffUL;
    s = (sp_int_digit)(a[6]); t = (sp_int_digit)(a[5]);
    r[6] = ((s << n) | (t >> (52U - n))) & 0xfffffffffffffUL;
    s = (sp_int_digit)(a[5]); t = (sp_int_digit)(a[4]);
    r[5] = ((s << n) | (t >> (52U - n))) & 0xfffffffffffffUL;
    s = (sp_int_digit)(a[4]); t = (sp_int_digit)(a[3]);
    r[4] = ((s << n) | (t >> (52U - n))) & 0xfffffffffffffUL;
    s = (sp_int_digit)(a[3]); t = (sp_int_digit)(a[2]);
    r[3] = ((s << n) | (t >> (52U - n))) & 0xfffffffffffffUL;
    s = (sp_int_digit)(a[2]); t = (sp_int_digit)(a[1]);
    r[2] = ((s << n) | (t >> (52U - n))) & 0xfffffffffffffUL;
    s = (sp_int_digit)(a[1]); t = (sp_int_digit)(a[0]);
    r[1] = ((s << n) | (t >> (52U - n))) & 0xfffffffffffffUL;
#endif /* WOLFSSL_SP_SMALL */
    r[0] = (a[0] << n) & 0xfffffffffffffL;
}

/* Divide d in a and put remainder into r (m*d + r = a)
 * m is not calculated as it is not needed at this time.
 *
 * Simplified based on top word of divisor being very large.
 *
 * a  Number to be divided.
 * d  Number to divide with.
 * m  Multiplier result.
 * r  Remainder from the division.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_256_div_5(const sp_digit* a, const sp_digit* d,
        const sp_digit* m, sp_digit* r)
{
    int i;
    sp_digit r1;
    sp_digit mask;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* t1 = NULL;
#else
    sp_digit t1[4 * 5 + 3];
#endif
    sp_digit* t2 = NULL;
    sp_digit* sd = NULL;
    int err = MP_OKAY;

    (void)m;

#ifdef WOLFSSL_SP_SMALL_STACK
    t1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * (4 * 5 + 3), NULL,
                                                       DYNAMIC_TYPE_TMP_BUFFER);
    if (t1 == NULL)
        err = MEMORY_E;
#endif

    (void)m;

    if (err == MP_OKAY) {
        t2 = t1 + 10 + 1;
        sd = t2 + 5 + 1;

        sp_256_mul_d_5(sd, d, (sp_digit)1 << 4);
        sp_256_lshift_10(t1, a, 4);
        t1[5 + 5] += t1[5 + 5 - 1] >> 52;
        t1[5 + 5 - 1] &= 0xfffffffffffffL;
        for (i=4; i>=0; i--) {
            r1 = t1[5 + i];
            sp_256_mul_d_5(t2, sd, r1);
            (void)sp_256_sub_5(&t1[i], &t1[i], t2);
            t1[5 + i] -= t2[5];
            sp_256_norm_5(&t1[i + 1]);

            r1 = t1[5 + i];
            sp_256_mul_d_5(t2, sd, r1);
            (void)sp_256_sub_5(&t1[i], &t1[i], t2);
            t1[5 + i] -= t2[5];
            sp_256_norm_5(&t1[i + 1]);

            mask = ~((t1[5 + i] - 1) >> 63);
            sp_256_cond_sub_5(t1 + i, t1 + i, sd, mask);
            sp_256_norm_5(&t1[i + 1]);
        }
        sp_256_norm_5(t1);
        sp_256_rshift_5(r, t1, 4);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t1 != NULL)
        XFREE(t1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
}

/* Reduce a modulo m into r. (r = a mod m)
 *
 * r  A single precision number that is the reduced result.
 * a  A single precision number that is to be reduced.
 * m  A single precision number that is the modulus to reduce with.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_256_mod_5(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    return sp_256_div_5(a, m, NULL, r);
}

#endif
#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
/* Multiply two number mod the order of P256 curve. (r = a * b mod order)
 *
 * r  Result of the multiplication.
 * a  First operand of the multiplication.
 * b  Second operand of the multiplication.
 */
static void sp_256_mont_mul_order_5(sp_digit* r, const sp_digit* a, const sp_digit* b)
{
    sp_256_mul_5(r, a, b);
    sp_256_mont_reduce_order_5(r, p256_order, p256_mp_order);
}

#if defined(HAVE_ECC_SIGN) || (defined(HAVE_ECC_VERIFY) && defined(WOLFSSL_SP_SMALL))
#ifdef WOLFSSL_SP_SMALL
/* Order-2 for the P256 curve. */
static const uint64_t p256_order_minus_2[4] = {
    0xf3b9cac2fc63254fU,0xbce6faada7179e84U,0xffffffffffffffffU,
    0xffffffff00000000U
};
#else
/* The low half of the order-2 of the P256 curve. */
static const sp_int_digit p256_order_low[2] = {
    0xf3b9cac2fc63254fU,0xbce6faada7179e84U
};
#endif /* WOLFSSL_SP_SMALL */

/* Square number mod the order of P256 curve. (r = a * a mod order)
 *
 * r  Result of the squaring.
 * a  Number to square.
 */
static void sp_256_mont_sqr_order_5(sp_digit* r, const sp_digit* a)
{
    sp_256_sqr_5(r, a);
    sp_256_mont_reduce_order_5(r, p256_order, p256_mp_order);
}

#ifndef WOLFSSL_SP_SMALL
/* Square number mod the order of P256 curve a number of times.
 * (r = a ^ n mod order)
 *
 * r  Result of the squaring.
 * a  Number to square.
 */
static void sp_256_mont_sqr_n_order_5(sp_digit* r, const sp_digit* a, int n)
{
    int i;

    sp_256_mont_sqr_order_5(r, a);
    for (i=1; i<n; i++) {
        sp_256_mont_sqr_order_5(r, r);
    }
}
#endif /* !WOLFSSL_SP_SMALL */

/* Invert the number, in Montgomery form, modulo the order of the P256 curve.
 * (r = 1 / a mod order)
 *
 * r   Inverse result.
 * a   Number to invert.
 * td  Temporary data.
 */

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_256_mont_inv_order_5_ctx {
    int state;
    int i;
} sp_256_mont_inv_order_5_ctx;
static int sp_256_mont_inv_order_5_nb(sp_ecc_ctx_t* sp_ctx, sp_digit* r, const sp_digit* a,
        sp_digit* t)
{
    int err = FP_WOULDBLOCK;
    sp_256_mont_inv_order_5_ctx* ctx = (sp_256_mont_inv_order_5_ctx*)sp_ctx;

    typedef char ctx_size_test[sizeof(sp_256_mont_inv_order_5_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    switch (ctx->state) {
    case 0:
        XMEMCPY(t, a, sizeof(sp_digit) * 5);
        ctx->i = 254;
        ctx->state = 1;
        break;
    case 1:
        sp_256_mont_sqr_order_5(t, t);
        ctx->state = 2;
        break;
    case 2:
        if ((p256_order_minus_2[ctx->i / 64] & ((sp_int_digit)1 << (ctx->i % 64))) != 0) {
            sp_256_mont_mul_order_5(t, t, a);
        }
        ctx->i--;
        ctx->state = (ctx->i == 0) ? 3 : 1;
        break;
    case 3:
        XMEMCPY(r, t, sizeof(sp_digit) * 5U);
        err = MP_OKAY;
        break;
    }
    return err;
}
#endif /* WOLFSSL_SP_NONBLOCK */

static void sp_256_mont_inv_order_5(sp_digit* r, const sp_digit* a,
        sp_digit* td)
{
#ifdef WOLFSSL_SP_SMALL
    sp_digit* t = td;
    int i;

    XMEMCPY(t, a, sizeof(sp_digit) * 5);
    for (i=254; i>=0; i--) {
        sp_256_mont_sqr_order_5(t, t);
        if ((p256_order_minus_2[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
            sp_256_mont_mul_order_5(t, t, a);
        }
    }
    XMEMCPY(r, t, sizeof(sp_digit) * 5U);
#else
    sp_digit* t = td;
    sp_digit* t2 = td + 2 * 5;
    sp_digit* t3 = td + 4 * 5;
    int i;

    /* t = a^2 */
    sp_256_mont_sqr_order_5(t, a);
    /* t = a^3 = t * a */
    sp_256_mont_mul_order_5(t, t, a);
    /* t2= a^c = t ^ 2 ^ 2 */
    sp_256_mont_sqr_n_order_5(t2, t, 2);
    /* t3= a^f = t2 * t */
    sp_256_mont_mul_order_5(t3, t2, t);
    /* t2= a^f0 = t3 ^ 2 ^ 4 */
    sp_256_mont_sqr_n_order_5(t2, t3, 4);
    /* t = a^ff = t2 * t3 */
    sp_256_mont_mul_order_5(t, t2, t3);
    /* t2= a^ff00 = t ^ 2 ^ 8 */
    sp_256_mont_sqr_n_order_5(t2, t, 8);
    /* t = a^ffff = t2 * t */
    sp_256_mont_mul_order_5(t, t2, t);
    /* t2= a^ffff0000 = t ^ 2 ^ 16 */
    sp_256_mont_sqr_n_order_5(t2, t, 16);
    /* t = a^ffffffff = t2 * t */
    sp_256_mont_mul_order_5(t, t2, t);
    /* t2= a^ffffffff0000000000000000 = t ^ 2 ^ 64  */
    sp_256_mont_sqr_n_order_5(t2, t, 64);
    /* t2= a^ffffffff00000000ffffffff = t2 * t */
    sp_256_mont_mul_order_5(t2, t2, t);
    /* t2= a^ffffffff00000000ffffffff00000000 = t2 ^ 2 ^ 32  */
    sp_256_mont_sqr_n_order_5(t2, t2, 32);
    /* t2= a^ffffffff00000000ffffffffffffffff = t2 * t */
    sp_256_mont_mul_order_5(t2, t2, t);
    /* t2= a^ffffffff00000000ffffffffffffffffbce6 */
    sp_256_mont_sqr_order_5(t2, t2);
    sp_256_mont_mul_order_5(t2, t2, a);
    sp_256_mont_sqr_n_order_5(t2, t2, 5);
    sp_256_mont_mul_order_5(t2, t2, t3);
    for (i=121; i>=112; i--) {
        sp_256_mont_sqr_order_5(t2, t2);
        if ((p256_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
            sp_256_mont_mul_order_5(t2, t2, a);
        }
    }
    /* t2= a^ffffffff00000000ffffffffffffffffbce6f */
    sp_256_mont_sqr_n_order_5(t2, t2, 4);
    sp_256_mont_mul_order_5(t2, t2, t3);
    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84 */
    for (i=107; i>=64; i--) {
        sp_256_mont_sqr_order_5(t2, t2);
        if ((p256_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
            sp_256_mont_mul_order_5(t2, t2, a);
        }
    }
    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f */
    sp_256_mont_sqr_n_order_5(t2, t2, 4);
    sp_256_mont_mul_order_5(t2, t2, t3);
    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2 */
    for (i=59; i>=32; i--) {
        sp_256_mont_sqr_order_5(t2, t2);
        if ((p256_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
            sp_256_mont_mul_order_5(t2, t2, a);
        }
    }
    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2f */
    sp_256_mont_sqr_n_order_5(t2, t2, 4);
    sp_256_mont_mul_order_5(t2, t2, t3);
    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254 */
    for (i=27; i>=0; i--) {
        sp_256_mont_sqr_order_5(t2, t2);
        if ((p256_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
            sp_256_mont_mul_order_5(t2, t2, a);
        }
    }
    /* t2= a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632540 */
    sp_256_mont_sqr_n_order_5(t2, t2, 4);
    /* r = a^ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63254f */
    sp_256_mont_mul_order_5(r, t2, t3);
#endif /* WOLFSSL_SP_SMALL */
}

#endif /* HAVE_ECC_SIGN || (HAVE_ECC_VERIFY && WOLFSSL_SP_SMALL) */
#endif /* HAVE_ECC_SIGN | HAVE_ECC_VERIFY */
#ifdef HAVE_ECC_SIGN
#ifndef SP_ECC_MAX_SIG_GEN
#define SP_ECC_MAX_SIG_GEN  64
#endif

/* Calculate second signature value S from R, k and private value.
 *
 * s = (r * x + e) / k
 *
 * s    Signature value.
 * r    First signature value.
 * k    Ephemeral private key.
 * x    Private key as a number.
 * e    Hash of message as a number.
 * tmp  Temporary storage for intermediate numbers.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_256_calc_s_5(sp_digit* s, const sp_digit* r, sp_digit* k,
    sp_digit* x, const sp_digit* e, sp_digit* tmp)
{
    int err;
    sp_digit carry;
    sp_int64 c;
    sp_digit* kInv = k;

    /* Conv k to Montgomery form (mod order) */
        sp_256_mul_5(k, k, p256_norm_order);
    err = sp_256_mod_5(k, k, p256_order);
    if (err == MP_OKAY) {
        sp_256_norm_5(k);

        /* kInv = 1/k mod order */
            sp_256_mont_inv_order_5(kInv, k, tmp);
        sp_256_norm_5(kInv);

        /* s = r * x + e */
            sp_256_mul_5(x, x, r);
        err = sp_256_mod_5(x, x, p256_order);
    }
    if (err == MP_OKAY) {
        sp_256_norm_5(x);
        carry = sp_256_add_5(s, e, x);
        sp_256_cond_sub_5(s, s, p256_order, 0 - carry);
        sp_256_norm_5(s);
        c = sp_256_cmp_5(s, p256_order);
        sp_256_cond_sub_5(s, s, p256_order,
            (sp_digit)0 - (sp_digit)(c >= 0));
        sp_256_norm_5(s);

        /* s = s * k^-1 mod order */
            sp_256_mont_mul_order_5(s, s, kInv);
        sp_256_norm_5(s);
    }

    return err;
}

/* Sign the hash using the private key.
 *   e = [hash, 256 bits] from binary
 *   r = (k.G)->x mod order
 *   s = (r * x + e) / k mod order
 * The hash is truncated to the first 256 bits.
 *
 * hash     Hash to sign.
 * hashLen  Length of the hash data.
 * rng      Random number generator.
 * priv     Private part of key - scalar.
 * rm       First part of result as an mp_int.
 * sm       Sirst part of result as an mp_int.
 * heap     Heap to use for allocation.
 * returns RNG failures, MEMORY_E when memory allocation fails and
 * MP_OKAY on success.
 */
int sp_ecc_sign_256(const byte* hash, word32 hashLen, WC_RNG* rng,
    const mp_int* priv, mp_int* rm, mp_int* sm, mp_int* km, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* e = NULL;
    sp_point_256* point = NULL;
#else
    sp_digit e[7 * 2 * 5];
    sp_point_256 point[1];
#endif
    sp_digit* x = NULL;
    sp_digit* k = NULL;
    sp_digit* r = NULL;
    sp_digit* tmp = NULL;
    sp_digit* s = NULL;
    sp_int64 c;
    int err = MP_OKAY;
    int i;

    (void)heap;

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        point = (sp_point_256*)XMALLOC(sizeof(sp_point_256), heap,
                                             DYNAMIC_TYPE_ECC);
        if (point == NULL)
            err = MEMORY_E;
    }
    if (err == MP_OKAY) {
        e = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7 * 2 * 5, heap,
                               DYNAMIC_TYPE_ECC);
        if (e == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        x = e + 2 * 5;
        k = e + 4 * 5;
        r = e + 6 * 5;
        tmp = e + 8 * 5;
        s = e;

        if (hashLen > 32U) {
            hashLen = 32U;
        }
    }

    for (i = SP_ECC_MAX_SIG_GEN; err == MP_OKAY && i > 0; i--) {
        /* New random point. */
        if (km == NULL || mp_iszero(km)) {
            err = sp_256_ecc_gen_k_5(rng, k);
        }
        else {
            sp_256_from_mp(k, 5, km);
            mp_zero(km);
        }
        if (err == MP_OKAY) {
                err = sp_256_ecc_mulmod_base_5(point, k, 1, 1, heap);
        }

        if (err == MP_OKAY) {
            /* r = point->x mod order */
            XMEMCPY(r, point->x, sizeof(sp_digit) * 5U);
            sp_256_norm_5(r);
            c = sp_256_cmp_5(r, p256_order);
            sp_256_cond_sub_5(r, r, p256_order,
                (sp_digit)0 - (sp_digit)(c >= 0));
            sp_256_norm_5(r);

            if (!sp_256_iszero_5(r)) {
                /* x is modified in calculation of s. */
                sp_256_from_mp(x, 5, priv);
                /* s ptr == e ptr, e is modified in calculation of s. */
                sp_256_from_bin(e, 5, hash, (int)hashLen);

                err = sp_256_calc_s_5(s, r, k, x, e, tmp);

                /* Check that signature is usable. */
                if ((err == MP_OKAY) && (!sp_256_iszero_5(s))) {
                    break;
                }
            }
        }
#ifdef WOLFSSL_ECDSA_SET_K_ONE_LOOP
        i = 1;
#endif
    }

    if (i == 0) {
        err = RNG_FAILURE_E;
    }

    if (err == MP_OKAY) {
        err = sp_256_to_mp(r, rm);
    }
    if (err == MP_OKAY) {
        err = sp_256_to_mp(s, sm);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (e != NULL)
#endif
    {
        ForceZero(e, sizeof(sp_digit) * 7 * 2 * 5);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(e, heap, DYNAMIC_TYPE_ECC);
    #endif
    }
#ifdef WOLFSSL_SP_SMALL_STACK
    if (point != NULL)
#endif
    {
        ForceZero(point, sizeof(sp_point_256));
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
    #endif
    }

    return err;
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_ecc_sign_256_ctx {
    int state;
    union {
        sp_256_ecc_mulmod_5_ctx mulmod_ctx;
        sp_256_mont_inv_order_5_ctx mont_inv_order_ctx;
    };
    sp_digit e[2*5];
    sp_digit x[2*5];
    sp_digit k[2*5];
    sp_digit r[2*5];
    sp_digit tmp[3 * 2*5];
    sp_point_256 point;
    sp_digit* s;
    sp_digit* kInv;
    int i;
} sp_ecc_sign_256_ctx;

int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, WC_RNG* rng,
    mp_int* priv, mp_int* rm, mp_int* sm, mp_int* km, void* heap)
{
    int err = FP_WOULDBLOCK;
    sp_ecc_sign_256_ctx* ctx = (sp_ecc_sign_256_ctx*)sp_ctx->data;

    typedef char ctx_size_test[sizeof(sp_ecc_sign_256_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    switch (ctx->state) {
    case 0: /* INIT */
        ctx->s = ctx->e;
        ctx->kInv = ctx->k;

        ctx->i = SP_ECC_MAX_SIG_GEN;
        ctx->state = 1;
        break;
    case 1: /* GEN */
        /* New random point. */
        if (km == NULL || mp_iszero(km)) {
            err = sp_256_ecc_gen_k_5(rng, ctx->k);
        }
        else {
            sp_256_from_mp(ctx->k, 5, km);
            mp_zero(km);
        }
        XMEMSET(&ctx->mulmod_ctx, 0, sizeof(ctx->mulmod_ctx));
        ctx->state = 2;
        break;
    case 2: /* MULMOD */
        err = sp_256_ecc_mulmod_5_nb((sp_ecc_ctx_t*)&ctx->mulmod_ctx,
            &ctx->point, &p256_base, ctx->k, 1, 1, heap);
        if (err == MP_OKAY) {
            ctx->state = 3;
        }
        break;
    case 3: /* MODORDER */
    {
        sp_int64 c;
        /* r = point->x mod order */
        XMEMCPY(ctx->r, ctx->point.x, sizeof(sp_digit) * 5U);
        sp_256_norm_5(ctx->r);
        c = sp_256_cmp_5(ctx->r, p256_order);
        sp_256_cond_sub_5(ctx->r, ctx->r, p256_order,
            (sp_digit)0 - (sp_digit)(c >= 0));
        sp_256_norm_5(ctx->r);

        if (hashLen > 32U) {
            hashLen = 32U;
        }
        sp_256_from_mp(ctx->x, 5, priv);
        sp_256_from_bin(ctx->e, 5, hash, (int)hashLen);
        ctx->state = 4;
        break;
    }
    case 4: /* KMODORDER */
        /* Conv k to Montgomery form (mod order) */
        sp_256_mul_5(ctx->k, ctx->k, p256_norm_order);
        err = sp_256_mod_5(ctx->k, ctx->k, p256_order);
        if (err == MP_OKAY) {
            sp_256_norm_5(ctx->k);
            XMEMSET(&ctx->mont_inv_order_ctx, 0, sizeof(ctx->mont_inv_order_ctx));
            ctx->state = 5;
        }
        break;
    case 5: /* KINV */
        /* kInv = 1/k mod order */
        err = sp_256_mont_inv_order_5_nb((sp_ecc_ctx_t*)&ctx->mont_inv_order_ctx, ctx->kInv, ctx->k, ctx->tmp);
        if (err == MP_OKAY) {
            XMEMSET(&ctx->mont_inv_order_ctx, 0, sizeof(ctx->mont_inv_order_ctx));
            ctx->state = 6;
        }
        break;
    case 6: /* KINVNORM */
        sp_256_norm_5(ctx->kInv);
        ctx->state = 7;
        break;
    case 7: /* R */
        /* s = r * x + e */
        sp_256_mul_5(ctx->x, ctx->x, ctx->r);
        ctx->state = 8;
        break;
    case 8: /* S1 */
        err = sp_256_mod_5(ctx->x, ctx->x, p256_order);
        if (err == MP_OKAY)
            ctx->state = 9;
        break;
    case 9: /* S2 */
    {
        sp_digit carry;
        sp_int64 c;
        sp_256_norm_5(ctx->x);
        carry = sp_256_add_5(ctx->s, ctx->e, ctx->x);
        sp_256_cond_sub_5(ctx->s, ctx->s,
            p256_order, 0 - carry);
        sp_256_norm_5(ctx->s);
        c = sp_256_cmp_5(ctx->s, p256_order);
        sp_256_cond_sub_5(ctx->s, ctx->s, p256_order,
            (sp_digit)0 - (sp_digit)(c >= 0));
        sp_256_norm_5(ctx->s);

        /* s = s * k^-1 mod order */
        sp_256_mont_mul_order_5(ctx->s, ctx->s, ctx->kInv);
        sp_256_norm_5(ctx->s);

        /* Check that signature is usable. */
        if (sp_256_iszero_5(ctx->s) == 0) {
            ctx->state = 10;
            break;
        }
    #ifdef WOLFSSL_ECDSA_SET_K_ONE_LOOP
        ctx->i = 1;
    #endif

        /* not usable gen, try again */
        ctx->i--;
        if (ctx->i == 0) {
            err = RNG_FAILURE_E;
        }
        ctx->state = 1;
        break;
    }
    case 10: /* RES */
        err = sp_256_to_mp(ctx->r, rm);
        if (err == MP_OKAY) {
            err = sp_256_to_mp(ctx->s, sm);
        }
        break;
    }

    if (err == MP_OKAY && ctx->state != 10) {
        err = FP_WOULDBLOCK;
    }
    if (err != FP_WOULDBLOCK) {
        XMEMSET(ctx->e, 0, sizeof(sp_digit) * 2U * 5U);
        XMEMSET(ctx->x, 0, sizeof(sp_digit) * 2U * 5U);
        XMEMSET(ctx->k, 0, sizeof(sp_digit) * 2U * 5U);
        XMEMSET(ctx->r, 0, sizeof(sp_digit) * 2U * 5U);
        XMEMSET(ctx->tmp, 0, sizeof(sp_digit) * 3U * 2U * 5U);
    }

    return err;
}
#endif /* WOLFSSL_SP_NONBLOCK */
#endif /* HAVE_ECC_SIGN */

#ifndef WOLFSSL_SP_SMALL
static const char sp_256_tab64_5[64] = {
    64,  1, 59,  2, 60, 48, 54,  3,
    61, 40, 49, 28, 55, 34, 43,  4,
    62, 52, 38, 41, 50, 19, 29, 21,
    56, 31, 35, 12, 44, 15, 23,  5,
    63, 58, 47, 53, 39, 27, 33, 42,
    51, 37, 18, 20, 30, 11, 14, 22,
    57, 46, 26, 32, 36, 17, 10, 13,
    45, 25, 16,  9, 24,  8,  7,  6};

static int sp_256_num_bits_52_5(sp_digit v)
{
    v |= v >> 1;
    v |= v >> 2;
    v |= v >> 4;
    v |= v >> 8;
    v |= v >> 16;
    v |= v >> 32;
    return sp_256_tab64_5[((uint64_t)((v - (v >> 1))*0x07EDD5E59A4E28C2)) >> 58];
}

static int sp_256_num_bits_5(const sp_digit* a)
{
    int i;
    int r = 0;

    for (i = 4; i >= 0; i--) {
        if (a[i] != 0) {
            r = sp_256_num_bits_52_5(a[i]);
            r += i * 52;
            break;
        }
    }

    return r;
}

/* Non-constant time modular inversion.
 *
 * @param  [out]  r   Resulting number.
 * @param  [in]   a   Number to invert.
 * @param  [in]   m   Modulus.
 * @return  MP_OKAY on success.
 * @return  MEMEORY_E when dynamic memory allocation fails.
 */
static int sp_256_mod_inv_5(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    int err = MP_OKAY;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* u = NULL;
#else
    sp_digit u[5 * 4];
#endif
    sp_digit* v = NULL;
    sp_digit* b = NULL;
    sp_digit* d = NULL;
    int ut;
    int vt;

#ifdef WOLFSSL_SP_SMALL_STACK
    u = (sp_digit*)XMALLOC(sizeof(sp_digit) * 5 * 4, NULL,
                                                              DYNAMIC_TYPE_ECC);
    if (u == NULL)
        err = MEMORY_E;
#endif

    if (err == MP_OKAY) {
        v = u + 5;
        b = u + 2 * 5;
        d = u + 3 * 5;

        XMEMCPY(u, m, sizeof(sp_digit) * 5);
        XMEMCPY(v, a, sizeof(sp_digit) * 5);

        ut = sp_256_num_bits_5(u);
        vt = sp_256_num_bits_5(v);

        XMEMSET(b, 0, sizeof(sp_digit) * 5);
        if ((v[0] & 1) == 0) {
            sp_256_rshift1_5(v, v);
            XMEMCPY(d, m, sizeof(sp_digit) * 5);
            d[0]++;
            sp_256_rshift1_5(d, d);
            vt--;

            while ((v[0] & 1) == 0) {
                sp_256_rshift1_5(v, v);
                if (d[0] & 1)
                    sp_256_add_5(d, d, m);
                sp_256_rshift1_5(d, d);
                vt--;
            }
        }
        else {
            XMEMSET(d+1, 0, sizeof(sp_digit) * (5 - 1));
            d[0] = 1;
        }

        while (ut > 1 && vt > 1) {
            if ((ut > vt) || ((ut == vt) &&
                    (sp_256_cmp_5(u, v) >= 0))) {
                sp_256_sub_5(u, u, v);
                sp_256_norm_5(u);

                sp_256_sub_5(b, b, d);
                sp_256_norm_5(b);
                if (b[4] < 0)
                    sp_256_add_5(b, b, m);
                sp_256_norm_5(b);
                ut = sp_256_num_bits_5(u);

                do {
                    sp_256_rshift1_5(u, u);
                    if (b[0] & 1)
                        sp_256_add_5(b, b, m);
                    sp_256_rshift1_5(b, b);
                    ut--;
                }
                while (ut > 0 && (u[0] & 1) == 0);
            }
            else {
                sp_256_sub_5(v, v, u);
                sp_256_norm_5(v);

                sp_256_sub_5(d, d, b);
                sp_256_norm_5(d);
                if (d[4] < 0)
                    sp_256_add_5(d, d, m);
                sp_256_norm_5(d);
                vt = sp_256_num_bits_5(v);

                do {
                    sp_256_rshift1_5(v, v);
                    if (d[0] & 1)
                        sp_256_add_5(d, d, m);
                    sp_256_rshift1_5(d, d);
                    vt--;
                }
                while (vt > 0 && (v[0] & 1) == 0);
            }
        }

        if (ut == 1)
            XMEMCPY(r, b, sizeof(sp_digit) * 5);
        else
            XMEMCPY(r, d, sizeof(sp_digit) * 5);
    }
#ifdef WOLFSSL_SP_SMALL_STACK
    if (u != NULL)
        XFREE(u, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#endif /* WOLFSSL_SP_SMALL */

/* Add point p1 into point p2. Handles p1 == p2 and result at infinity.
 *
 * p1   First point to add and holds result.
 * p2   Second point to add.
 * tmp  Temporary storage for intermediate numbers.
 */
static void sp_256_add_points_5(sp_point_256* p1, const sp_point_256* p2,
    sp_digit* tmp)
{

        sp_256_proj_point_add_5(p1, p1, p2, tmp);
    if (sp_256_iszero_5(p1->z)) {
        if (sp_256_iszero_5(p1->x) && sp_256_iszero_5(p1->y)) {
                sp_256_proj_point_dbl_5(p1, p2, tmp);
        }
        else {
            /* Y ordinate is not used from here - don't set. */
            p1->x[0] = 0;
            p1->x[1] = 0;
            p1->x[2] = 0;
            p1->x[3] = 0;
            p1->x[4] = 0;
            XMEMCPY(p1->z, p256_norm_mod, sizeof(p256_norm_mod));
        }
    }
}

/* Calculate the verification point: [e/s]G + [r/s]Q
 *
 * p1    Calculated point.
 * p2    Public point and temporary.
 * s     Second part of signature as a number.
 * u1    Temporary number.
 * u2    Temporary number.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_256_calc_vfy_point_5(sp_point_256* p1, sp_point_256* p2,
    sp_digit* s, sp_digit* u1, sp_digit* u2, sp_digit* tmp, void* heap)
{
    int err;

#ifndef WOLFSSL_SP_SMALL
    err = sp_256_mod_inv_5(s, s, p256_order);
    if (err == MP_OKAY)
#endif /* !WOLFSSL_SP_SMALL */
    {
        sp_256_mul_5(s, s, p256_norm_order);
        err = sp_256_mod_5(s, s, p256_order);
    }
    if (err == MP_OKAY) {
        sp_256_norm_5(s);
#ifdef WOLFSSL_SP_SMALL
        {
            sp_256_mont_inv_order_5(s, s, tmp);
            sp_256_mont_mul_order_5(u1, u1, s);
            sp_256_mont_mul_order_5(u2, u2, s);
        }
#else
        {
            sp_256_mont_mul_order_5(u1, u1, s);
            sp_256_mont_mul_order_5(u2, u2, s);
        }
#endif /* WOLFSSL_SP_SMALL */
        {
            err = sp_256_ecc_mulmod_base_5(p1, u1, 0, 0, heap);
        }
    }
    if ((err == MP_OKAY) && sp_256_iszero_5(p1->z)) {
        p1->infinity = 1;
    }
    if (err == MP_OKAY) {
            err = sp_256_ecc_mulmod_5(p2, p2, u2, 0, 0, heap);
    }
    if ((err == MP_OKAY) && sp_256_iszero_5(p2->z)) {
        p2->infinity = 1;
    }

    if (err == MP_OKAY) {
        sp_256_add_points_5(p1, p2, tmp);
    }

    return err;
}

#ifdef HAVE_ECC_VERIFY
/* Verify the signature values with the hash and public key.
 *   e = Truncate(hash, 256)
 *   u1 = e/s mod order
 *   u2 = r/s mod order
 *   r == (u1.G + u2.Q)->x mod order
 * Optimization: Leave point in projective form.
 *   (x, y, 1) == (x' / z'*z', y' / z'*z'*z', z' / z')
 *   (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x'
 * The hash is truncated to the first 256 bits.
 *
 * hash     Hash to sign.
 * hashLen  Length of the hash data.
 * rng      Random number generator.
 * priv     Private part of key - scalar.
 * rm       First part of result as an mp_int.
 * sm       Sirst part of result as an mp_int.
 * heap     Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX,
    const mp_int* pY, const mp_int* pZ, const mp_int* rm, const mp_int* sm,
    int* res, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* u1 = NULL;
    sp_point_256* p1 = NULL;
#else
    sp_digit  u1[18 * 5];
    sp_point_256 p1[2];
#endif
    sp_digit* u2 = NULL;
    sp_digit* s = NULL;
    sp_digit* tmp = NULL;
    sp_point_256* p2 = NULL;
    sp_digit carry;
    sp_int64 c = 0;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        p1 = (sp_point_256*)XMALLOC(sizeof(sp_point_256) * 2, heap,
                                             DYNAMIC_TYPE_ECC);
        if (p1 == NULL)
            err = MEMORY_E;
    }
    if (err == MP_OKAY) {
        u1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * 18 * 5, heap,
                                                              DYNAMIC_TYPE_ECC);
        if (u1 == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        u2  = u1 + 2 * 5;
        s   = u1 + 4 * 5;
        tmp = u1 + 6 * 5;
        p2 = p1 + 1;

        if (hashLen > 32U) {
            hashLen = 32U;
        }

        sp_256_from_bin(u1, 5, hash, (int)hashLen);
        sp_256_from_mp(u2, 5, rm);
        sp_256_from_mp(s, 5, sm);
        sp_256_from_mp(p2->x, 5, pX);
        sp_256_from_mp(p2->y, 5, pY);
        sp_256_from_mp(p2->z, 5, pZ);

        err = sp_256_calc_vfy_point_5(p1, p2, s, u1, u2, tmp, heap);
    }
    if (err == MP_OKAY) {
        /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
        /* Reload r and convert to Montgomery form. */
        sp_256_from_mp(u2, 5, rm);
        err = sp_256_mod_mul_norm_5(u2, u2, p256_mod);
    }

    if (err == MP_OKAY) {
        /* u1 = r.z'.z' mod prime */
            sp_256_mont_sqr_5(p1->z, p1->z, p256_mod, p256_mp_mod);
            sp_256_mont_mul_5(u1, u2, p1->z, p256_mod, p256_mp_mod);
        *res = (int)(sp_256_cmp_5(p1->x, u1) == 0);
        if (*res == 0) {
            /* Reload r and add order. */
            sp_256_from_mp(u2, 5, rm);
            carry = sp_256_add_5(u2, u2, p256_order);
            /* Carry means result is greater than mod and is not valid. */
            if (carry == 0) {
                sp_256_norm_5(u2);

                /* Compare with mod and if greater or equal then not valid. */
                c = sp_256_cmp_5(u2, p256_mod);
            }
        }
        if ((*res == 0) && (c < 0)) {
            /* Convert to Montogomery form */
            err = sp_256_mod_mul_norm_5(u2, u2, p256_mod);
            if (err == MP_OKAY) {
                /* u1 = (r + 1*order).z'.z' mod prime */
                {
                    sp_256_mont_mul_5(u1, u2, p1->z, p256_mod, p256_mp_mod);
                }
                *res = (sp_256_cmp_5(p1->x, u1) == 0);
            }
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (u1 != NULL)
        XFREE(u1, heap, DYNAMIC_TYPE_ECC);
    if (p1 != NULL)
        XFREE(p1, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_ecc_verify_256_ctx {
    int state;
    union {
        sp_256_ecc_mulmod_5_ctx mulmod_ctx;
        sp_256_mont_inv_order_5_ctx mont_inv_order_ctx;
        sp_256_proj_point_dbl_5_ctx dbl_ctx;
        sp_256_proj_point_add_5_ctx add_ctx;
    };
    sp_digit u1[2*5];
    sp_digit u2[2*5];
    sp_digit s[2*5];
    sp_digit tmp[2*5 * 6];
    sp_point_256 p1;
    sp_point_256 p2;
} sp_ecc_verify_256_ctx;

int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash,
    word32 hashLen, const mp_int* pX, const mp_int* pY, const mp_int* pZ,
    const mp_int* rm, const mp_int* sm, int* res, void* heap)
{
    int err = FP_WOULDBLOCK;
    sp_ecc_verify_256_ctx* ctx = (sp_ecc_verify_256_ctx*)sp_ctx->data;

    typedef char ctx_size_test[sizeof(sp_ecc_verify_256_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    switch (ctx->state) {
    case 0: /* INIT */
        if (hashLen > 32U) {
            hashLen = 32U;
        }

        sp_256_from_bin(ctx->u1, 5, hash, (int)hashLen);
        sp_256_from_mp(ctx->u2, 5, rm);
        sp_256_from_mp(ctx->s, 5, sm);
        sp_256_from_mp(ctx->p2.x, 5, pX);
        sp_256_from_mp(ctx->p2.y, 5, pY);
        sp_256_from_mp(ctx->p2.z, 5, pZ);
        ctx->state = 1;
        break;
    case 1: /* NORMS0 */
        sp_256_mul_5(ctx->s, ctx->s, p256_norm_order);
        err = sp_256_mod_5(ctx->s, ctx->s, p256_order);
        if (err == MP_OKAY)
            ctx->state = 2;
        break;
    case 2: /* NORMS1 */
        sp_256_norm_5(ctx->s);
        XMEMSET(&ctx->mont_inv_order_ctx, 0, sizeof(ctx->mont_inv_order_ctx));
        ctx->state = 3;
        break;
    case 3: /* NORMS2 */
        err = sp_256_mont_inv_order_5_nb((sp_ecc_ctx_t*)&ctx->mont_inv_order_ctx, ctx->s, ctx->s, ctx->tmp);
        if (err == MP_OKAY) {
            ctx->state = 4;
        }
        break;
    case 4: /* NORMS3 */
        sp_256_mont_mul_order_5(ctx->u1, ctx->u1, ctx->s);
        ctx->state = 5;
        break;
    case 5: /* NORMS4 */
        sp_256_mont_mul_order_5(ctx->u2, ctx->u2, ctx->s);
        XMEMSET(&ctx->mulmod_ctx, 0, sizeof(ctx->mulmod_ctx));
        ctx->state = 6;
        break;
    case 6: /* MULBASE */
        err = sp_256_ecc_mulmod_5_nb((sp_ecc_ctx_t*)&ctx->mulmod_ctx, &ctx->p1, &p256_base, ctx->u1, 0, 0, heap);
        if (err == MP_OKAY) {
            if (sp_256_iszero_5(ctx->p1.z)) {
                ctx->p1.infinity = 1;
            }
            XMEMSET(&ctx->mulmod_ctx, 0, sizeof(ctx->mulmod_ctx));
            ctx->state = 7;
        }
        break;
    case 7: /* MULMOD */
        err = sp_256_ecc_mulmod_5_nb((sp_ecc_ctx_t*)&ctx->mulmod_ctx, &ctx->p2, &ctx->p2, ctx->u2, 0, 0, heap);
        if (err == MP_OKAY) {
            if (sp_256_iszero_5(ctx->p2.z)) {
                ctx->p2.infinity = 1;
            }
            XMEMSET(&ctx->add_ctx, 0, sizeof(ctx->add_ctx));
            ctx->state = 8;
        }
        break;
    case 8: /* ADD */
        err = sp_256_proj_point_add_5_nb((sp_ecc_ctx_t*)&ctx->add_ctx, &ctx->p1, &ctx->p1, &ctx->p2, ctx->tmp);
        if (err == MP_OKAY)
            ctx->state = 9;
        break;
    case 9: /* MONT */
        /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
        /* Reload r and convert to Montgomery form. */
        sp_256_from_mp(ctx->u2, 5, rm);
        err = sp_256_mod_mul_norm_5(ctx->u2, ctx->u2, p256_mod);
        if (err == MP_OKAY)
            ctx->state = 10;
        break;
    case 10: /* SQR */
        /* u1 = r.z'.z' mod prime */
        sp_256_mont_sqr_5(ctx->p1.z, ctx->p1.z, p256_mod, p256_mp_mod);
        ctx->state = 11;
        break;
    case 11: /* MUL */
        sp_256_mont_mul_5(ctx->u1, ctx->u2, ctx->p1.z, p256_mod, p256_mp_mod);
        ctx->state = 12;
        break;
    case 12: /* RES */
    {
        sp_int64 c = 0;
        err = MP_OKAY; /* math okay, now check result */
        *res = (int)(sp_256_cmp_5(ctx->p1.x, ctx->u1) == 0);
        if (*res == 0) {
            sp_digit carry;

            /* Reload r and add order. */
            sp_256_from_mp(ctx->u2, 5, rm);
            carry = sp_256_add_5(ctx->u2, ctx->u2, p256_order);
            /* Carry means result is greater than mod and is not valid. */
            if (carry == 0) {
                sp_256_norm_5(ctx->u2);

                /* Compare with mod and if greater or equal then not valid. */
                c = sp_256_cmp_5(ctx->u2, p256_mod);
            }
        }
        if ((*res == 0) && (c < 0)) {
            /* Convert to Montogomery form */
            err = sp_256_mod_mul_norm_5(ctx->u2, ctx->u2, p256_mod);
            if (err == MP_OKAY) {
                /* u1 = (r + 1*order).z'.z' mod prime */
                sp_256_mont_mul_5(ctx->u1, ctx->u2, ctx->p1.z, p256_mod,
                                                            p256_mp_mod);
                *res = (int)(sp_256_cmp_5(ctx->p1.x, ctx->u1) == 0);
            }
        }
        break;
    }
    } /* switch */

    if (err == MP_OKAY && ctx->state != 12) {
        err = FP_WOULDBLOCK;
    }

    return err;
}
#endif /* WOLFSSL_SP_NONBLOCK */
#endif /* HAVE_ECC_VERIFY */

#ifdef HAVE_ECC_CHECK_KEY
/* Check that the x and y ordinates are a valid point on the curve.
 *
 * point  EC point.
 * heap   Heap to use if dynamically allocating.
 * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
 * not on the curve and MP_OKAY otherwise.
 */
static int sp_256_ecc_is_point_5(const sp_point_256* point,
    void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* t1 = NULL;
#else
    sp_digit t1[5 * 4];
#endif
    sp_digit* t2 = NULL;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    t1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * 5 * 4, heap, DYNAMIC_TYPE_ECC);
    if (t1 == NULL)
        err = MEMORY_E;
#endif
    (void)heap;

    if (err == MP_OKAY) {
        t2 = t1 + 2 * 5;

        /* y^2 - x^3 - a.x = b */
        sp_256_sqr_5(t1, point->y);
        (void)sp_256_mod_5(t1, t1, p256_mod);
        sp_256_sqr_5(t2, point->x);
        (void)sp_256_mod_5(t2, t2, p256_mod);
        sp_256_mul_5(t2, t2, point->x);
        (void)sp_256_mod_5(t2, t2, p256_mod);
        sp_256_mont_sub_5(t1, t1, t2, p256_mod);

        /* y^2 - x^3 + 3.x = b, when a = -3  */
        sp_256_mont_add_5(t1, t1, point->x, p256_mod);
        sp_256_mont_add_5(t1, t1, point->x, p256_mod);
        sp_256_mont_add_5(t1, t1, point->x, p256_mod);


        if (sp_256_cmp_5(t1, p256_b) != 0) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t1 != NULL)
        XFREE(t1, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

/* Check that the x and y ordinates are a valid point on the curve.
 *
 * pX  X ordinate of EC point.
 * pY  Y ordinate of EC point.
 * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
 * not on the curve and MP_OKAY otherwise.
 */
int sp_ecc_is_point_256(const mp_int* pX, const mp_int* pY)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_256* pub = NULL;
#else
    sp_point_256 pub[1];
#endif
    const byte one[1] = { 1 };
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    pub = (sp_point_256*)XMALLOC(sizeof(sp_point_256), NULL,
                                       DYNAMIC_TYPE_ECC);
    if (pub == NULL)
        err = MEMORY_E;
#endif

    if (err == MP_OKAY) {
        sp_256_from_mp(pub->x, 5, pX);
        sp_256_from_mp(pub->y, 5, pY);
        sp_256_from_bin(pub->z, 5, one, (int)sizeof(one));

        err = sp_256_ecc_is_point_5(pub, NULL);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (pub != NULL)
        XFREE(pub, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

/* Check that the private scalar generates the EC point (px, py), the point is
 * on the curve and the point has the correct order.
 *
 * pX     X ordinate of EC point.
 * pY     Y ordinate of EC point.
 * privm  Private scalar that generates EC point.
 * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
 * not on the curve, ECC_INF_E if the point does not have the correct order,
 * ECC_PRIV_KEY_E when the private scalar doesn't generate the EC point and
 * MP_OKAY otherwise.
 */
int sp_ecc_check_key_256(const mp_int* pX, const mp_int* pY,
    const mp_int* privm, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* priv = NULL;
    sp_point_256* pub = NULL;
#else
    sp_digit priv[5];
    sp_point_256 pub[2];
#endif
    sp_point_256* p = NULL;
    const byte one[1] = { 1 };
    int err = MP_OKAY;


    /* Quick check the lengs of public key ordinates and private key are in
     * range. Proper check later.
     */
    if (((mp_count_bits(pX) > 256) ||
        (mp_count_bits(pY) > 256) ||
        ((privm != NULL) && (mp_count_bits(privm) > 256)))) {
        err = ECC_OUT_OF_RANGE_E;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        pub = (sp_point_256*)XMALLOC(sizeof(sp_point_256) * 2, heap,
                                           DYNAMIC_TYPE_ECC);
        if (pub == NULL)
            err = MEMORY_E;
    }
    if (err == MP_OKAY && privm) {
        priv = (sp_digit*)XMALLOC(sizeof(sp_digit) * 5, heap,
                                  DYNAMIC_TYPE_ECC);
        if (priv == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        p = pub + 1;

        sp_256_from_mp(pub->x, 5, pX);
        sp_256_from_mp(pub->y, 5, pY);
        sp_256_from_bin(pub->z, 5, one, (int)sizeof(one));
        if (privm)
            sp_256_from_mp(priv, 5, privm);

        /* Check point at infinitiy. */
        if ((sp_256_iszero_5(pub->x) != 0) &&
            (sp_256_iszero_5(pub->y) != 0)) {
            err = ECC_INF_E;
        }
    }

    /* Check range of X and Y */
    if ((err == MP_OKAY) &&
            ((sp_256_cmp_5(pub->x, p256_mod) >= 0) ||
             (sp_256_cmp_5(pub->y, p256_mod) >= 0))) {
        err = ECC_OUT_OF_RANGE_E;
    }

    if (err == MP_OKAY) {
        /* Check point is on curve */
        err = sp_256_ecc_is_point_5(pub, heap);
    }

    if (err == MP_OKAY) {
        /* Point * order = infinity */
            err = sp_256_ecc_mulmod_5(p, pub, p256_order, 1, 1, heap);
    }
    /* Check result is infinity */
    if ((err == MP_OKAY) && ((sp_256_iszero_5(p->x) == 0) ||
                             (sp_256_iszero_5(p->y) == 0))) {
        err = ECC_INF_E;
    }

    if (privm) {
        if (err == MP_OKAY) {
            /* Base * private = point */
                err = sp_256_ecc_mulmod_base_5(p, priv, 1, 1, heap);
        }
        /* Check result is public key */
        if ((err == MP_OKAY) &&
                ((sp_256_cmp_5(p->x, pub->x) != 0) ||
                 (sp_256_cmp_5(p->y, pub->y) != 0))) {
            err = ECC_PRIV_KEY_E;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (pub != NULL)
        XFREE(pub, heap, DYNAMIC_TYPE_ECC);
    if (priv != NULL)
        XFREE(priv, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}
#endif
#ifdef WOLFSSL_PUBLIC_ECC_ADD_DBL
/* Add two projective EC points together.
 * (pX, pY, pZ) + (qX, qY, qZ) = (rX, rY, rZ)
 *
 * pX   First EC point's X ordinate.
 * pY   First EC point's Y ordinate.
 * pZ   First EC point's Z ordinate.
 * qX   Second EC point's X ordinate.
 * qY   Second EC point's Y ordinate.
 * qZ   Second EC point's Z ordinate.
 * rX   Resultant EC point's X ordinate.
 * rY   Resultant EC point's Y ordinate.
 * rZ   Resultant EC point's Z ordinate.
 * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
 */
int sp_ecc_proj_add_point_256(mp_int* pX, mp_int* pY, mp_int* pZ,
                              mp_int* qX, mp_int* qY, mp_int* qZ,
                              mp_int* rX, mp_int* rY, mp_int* rZ)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* tmp = NULL;
    sp_point_256* p = NULL;
#else
    sp_digit tmp[2 * 5 * 6];
    sp_point_256 p[2];
#endif
    sp_point_256* q = NULL;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        p = (sp_point_256*)XMALLOC(sizeof(sp_point_256) * 2, NULL,
                                         DYNAMIC_TYPE_ECC);
        if (p == NULL)
            err = MEMORY_E;
    }
    if (err == MP_OKAY) {
        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 5 * 6, NULL,
                                 DYNAMIC_TYPE_ECC);
        if (tmp == NULL) {
            err = MEMORY_E;
        }
    }
#endif

    if (err == MP_OKAY) {
        q = p + 1;

        sp_256_from_mp(p->x, 5, pX);
        sp_256_from_mp(p->y, 5, pY);
        sp_256_from_mp(p->z, 5, pZ);
        sp_256_from_mp(q->x, 5, qX);
        sp_256_from_mp(q->y, 5, qY);
        sp_256_from_mp(q->z, 5, qZ);
        p->infinity = sp_256_iszero_5(p->x) &
                      sp_256_iszero_5(p->y);
        q->infinity = sp_256_iszero_5(q->x) &
                      sp_256_iszero_5(q->y);

            sp_256_proj_point_add_5(p, p, q, tmp);
    }

    if (err == MP_OKAY) {
        err = sp_256_to_mp(p->x, rX);
    }
    if (err == MP_OKAY) {
        err = sp_256_to_mp(p->y, rY);
    }
    if (err == MP_OKAY) {
        err = sp_256_to_mp(p->z, rZ);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (tmp != NULL)
        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
    if (p != NULL)
        XFREE(p, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

/* Double a projective EC point.
 * (pX, pY, pZ) + (pX, pY, pZ) = (rX, rY, rZ)
 *
 * pX   EC point's X ordinate.
 * pY   EC point's Y ordinate.
 * pZ   EC point's Z ordinate.
 * rX   Resultant EC point's X ordinate.
 * rY   Resultant EC point's Y ordinate.
 * rZ   Resultant EC point's Z ordinate.
 * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
 */
int sp_ecc_proj_dbl_point_256(mp_int* pX, mp_int* pY, mp_int* pZ,
                              mp_int* rX, mp_int* rY, mp_int* rZ)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* tmp = NULL;
    sp_point_256* p = NULL;
#else
    sp_digit tmp[2 * 5 * 2];
    sp_point_256 p[1];
#endif
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        p = (sp_point_256*)XMALLOC(sizeof(sp_point_256), NULL,
                                         DYNAMIC_TYPE_ECC);
        if (p == NULL)
            err = MEMORY_E;
    }
    if (err == MP_OKAY) {
        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 5 * 2, NULL,
                                 DYNAMIC_TYPE_ECC);
        if (tmp == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        sp_256_from_mp(p->x, 5, pX);
        sp_256_from_mp(p->y, 5, pY);
        sp_256_from_mp(p->z, 5, pZ);
        p->infinity = sp_256_iszero_5(p->x) &
                      sp_256_iszero_5(p->y);

            sp_256_proj_point_dbl_5(p, p, tmp);
    }

    if (err == MP_OKAY) {
        err = sp_256_to_mp(p->x, rX);
    }
    if (err == MP_OKAY) {
        err = sp_256_to_mp(p->y, rY);
    }
    if (err == MP_OKAY) {
        err = sp_256_to_mp(p->z, rZ);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (tmp != NULL)
        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
    if (p != NULL)
        XFREE(p, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

/* Map a projective EC point to affine in place.
 * pZ will be one.
 *
 * pX   EC point's X ordinate.
 * pY   EC point's Y ordinate.
 * pZ   EC point's Z ordinate.
 * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
 */
int sp_ecc_map_256(mp_int* pX, mp_int* pY, mp_int* pZ)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* tmp = NULL;
    sp_point_256* p = NULL;
#else
    sp_digit tmp[2 * 5 * 4];
    sp_point_256 p[1];
#endif
    int err = MP_OKAY;


#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        p = (sp_point_256*)XMALLOC(sizeof(sp_point_256), NULL,
                                         DYNAMIC_TYPE_ECC);
        if (p == NULL)
            err = MEMORY_E;
    }
    if (err == MP_OKAY) {
        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 5 * 4, NULL,
                                 DYNAMIC_TYPE_ECC);
        if (tmp == NULL)
            err = MEMORY_E;
    }
#endif
    if (err == MP_OKAY) {
        sp_256_from_mp(p->x, 5, pX);
        sp_256_from_mp(p->y, 5, pY);
        sp_256_from_mp(p->z, 5, pZ);
        p->infinity = sp_256_iszero_5(p->x) &
                      sp_256_iszero_5(p->y);

            sp_256_map_5(p, p, tmp);
    }

    if (err == MP_OKAY) {
        err = sp_256_to_mp(p->x, pX);
    }
    if (err == MP_OKAY) {
        err = sp_256_to_mp(p->y, pY);
    }
    if (err == MP_OKAY) {
        err = sp_256_to_mp(p->z, pZ);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (tmp != NULL)
        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
    if (p != NULL)
        XFREE(p, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}
#endif /* WOLFSSL_PUBLIC_ECC_ADD_DBL */
#ifdef HAVE_COMP_KEY
/* Find the square root of a number mod the prime of the curve.
 *
 * y  The number to operate on and the result.
 * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
 */
static int sp_256_mont_sqrt_5(sp_digit* y)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* t1 = NULL;
#else
    sp_digit t1[4 * 5];
#endif
    sp_digit* t2 = NULL;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    t1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 5, NULL, DYNAMIC_TYPE_ECC);
    if (t1 == NULL) {
        err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        t2 = t1 + 2 * 5;

        {
            /* t2 = y ^ 0x2 */
            sp_256_mont_sqr_5(t2, y, p256_mod, p256_mp_mod);
            /* t1 = y ^ 0x3 */
            sp_256_mont_mul_5(t1, t2, y, p256_mod, p256_mp_mod);
            /* t2 = y ^ 0xc */
            sp_256_mont_sqr_n_5(t2, t1, 2, p256_mod, p256_mp_mod);
            /* t1 = y ^ 0xf */
            sp_256_mont_mul_5(t1, t1, t2, p256_mod, p256_mp_mod);
            /* t2 = y ^ 0xf0 */
            sp_256_mont_sqr_n_5(t2, t1, 4, p256_mod, p256_mp_mod);
            /* t1 = y ^ 0xff */
            sp_256_mont_mul_5(t1, t1, t2, p256_mod, p256_mp_mod);
            /* t2 = y ^ 0xff00 */
            sp_256_mont_sqr_n_5(t2, t1, 8, p256_mod, p256_mp_mod);
            /* t1 = y ^ 0xffff */
            sp_256_mont_mul_5(t1, t1, t2, p256_mod, p256_mp_mod);
            /* t2 = y ^ 0xffff0000 */
            sp_256_mont_sqr_n_5(t2, t1, 16, p256_mod, p256_mp_mod);
            /* t1 = y ^ 0xffffffff */
            sp_256_mont_mul_5(t1, t1, t2, p256_mod, p256_mp_mod);
            /* t1 = y ^ 0xffffffff00000000 */
            sp_256_mont_sqr_n_5(t1, t1, 32, p256_mod, p256_mp_mod);
            /* t1 = y ^ 0xffffffff00000001 */
            sp_256_mont_mul_5(t1, t1, y, p256_mod, p256_mp_mod);
            /* t1 = y ^ 0xffffffff00000001000000000000000000000000 */
            sp_256_mont_sqr_n_5(t1, t1, 96, p256_mod, p256_mp_mod);
            /* t1 = y ^ 0xffffffff00000001000000000000000000000001 */
            sp_256_mont_mul_5(t1, t1, y, p256_mod, p256_mp_mod);
            sp_256_mont_sqr_n_5(y, t1, 94, p256_mod, p256_mp_mod);
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t1 != NULL)
        XFREE(t1, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}


/* Uncompress the point given the X ordinate.
 *
 * xm    X ordinate.
 * odd   Whether the Y ordinate is odd.
 * ym    Calculated Y ordinate.
 * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
 */
int sp_ecc_uncompress_256(mp_int* xm, int odd, mp_int* ym)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* x = NULL;
#else
    sp_digit x[4 * 5];
#endif
    sp_digit* y = NULL;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    x = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 5, NULL, DYNAMIC_TYPE_ECC);
    if (x == NULL)
        err = MEMORY_E;
#endif

    if (err == MP_OKAY) {
        y = x + 2 * 5;

        sp_256_from_mp(x, 5, xm);
        err = sp_256_mod_mul_norm_5(x, x, p256_mod);
    }
    if (err == MP_OKAY) {
        /* y = x^3 */
        {
            sp_256_mont_sqr_5(y, x, p256_mod, p256_mp_mod);
            sp_256_mont_mul_5(y, y, x, p256_mod, p256_mp_mod);
        }
        /* y = x^3 - 3x */
        sp_256_mont_sub_5(y, y, x, p256_mod);
        sp_256_mont_sub_5(y, y, x, p256_mod);
        sp_256_mont_sub_5(y, y, x, p256_mod);
        /* y = x^3 - 3x + b */
        err = sp_256_mod_mul_norm_5(x, p256_b, p256_mod);
    }
    if (err == MP_OKAY) {
        sp_256_mont_add_5(y, y, x, p256_mod);
        /* y = sqrt(x^3 - 3x + b) */
        err = sp_256_mont_sqrt_5(y);
    }
    if (err == MP_OKAY) {
        XMEMSET(y + 5, 0, 5U * sizeof(sp_digit));
        sp_256_mont_reduce_5(y, p256_mod, p256_mp_mod);
        if ((((word32)y[0] ^ (word32)odd) & 1U) != 0U) {
            sp_256_mont_sub_5(y, p256_mod, y, p256_mod);
        }

        err = sp_256_to_mp(y, ym);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (x != NULL)
        XFREE(x, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}
#endif
#endif /* !WOLFSSL_SP_NO_256 */
#ifdef WOLFSSL_SP_384

/* Point structure to use. */
typedef struct sp_point_384 {
    /* X ordinate of point. */
    sp_digit x[2 * 7];
    /* Y ordinate of point. */
    sp_digit y[2 * 7];
    /* Z ordinate of point. */
    sp_digit z[2 * 7];
    /* Indicates point is at infinity. */
    int infinity;
} sp_point_384;

/* The modulus (prime) of the curve P384. */
static const sp_digit p384_mod[7] = {
    0x000000ffffffffL,0x7ffe0000000000L,0x7ffffffffbffffL,0x7fffffffffffffL,
    0x7fffffffffffffL,0x7fffffffffffffL,0x3fffffffffffffL
};
/* The Montgomery normalizer for modulus of the curve P384. */
static const sp_digit p384_norm_mod[7] = {
    0x7fffff00000001L,0x0001ffffffffffL,0x00000000040000L,0x00000000000000L,
    0x00000000000000L,0x00000000000000L,0x00000000000000L
};
/* The Montgomery multiplier for modulus of the curve P384. */
static sp_digit p384_mp_mod = 0x0000100000001;
#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
                                            defined(HAVE_ECC_VERIFY)
/* The order of the curve P384. */
static const sp_digit p384_order[7] = {
    0x6c196accc52973L,0x1b6491614ef5d9L,0x07d0dcb77d6068L,0x7ffffffe3b1a6cL,
    0x7fffffffffffffL,0x7fffffffffffffL,0x3fffffffffffffL
};
#endif
/* The order of the curve P384 minus 2. */
static const sp_digit p384_order2[7] = {
    0x6c196accc52971L,0x1b6491614ef5d9L,0x07d0dcb77d6068L,0x7ffffffe3b1a6cL,
    0x7fffffffffffffL,0x7fffffffffffffL,0x3fffffffffffffL
};
#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
/* The Montgomery normalizer for order of the curve P384. */
static const sp_digit p384_norm_order[7] = {
    0x13e695333ad68dL,0x649b6e9eb10a26L,0x782f2348829f97L,0x00000001c4e593L,
    0x00000000000000L,0x00000000000000L,0x00000000000000L
};
#endif
#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
/* The Montgomery multiplier for order of the curve P384. */
static sp_digit p384_mp_order = 0x546089e88fdc45L;
#endif
/* The base point of curve P384. */
static const sp_point_384 p384_base = {
    /* X ordinate */
    {
        0x545e3872760ab7L,0x64bb7eaa52d874L,0x020950a8e1540bL,0x5d3cdcc2cfba0fL,
        0x0ad746e1d3b628L,0x26f1d638e3de64L,0x2aa1f288afa2c1L,
        (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0,
        (sp_digit)0, (sp_digit)0
    },
    /* Y ordinate */
    {
        0x431d7c90ea0e5fL,0x639c3afd033af4L,0x4ed7c2e3002982L,0x44d0a3e74ed188L,
        0x2dc29f8f41dbd2L,0x0debb3d317f252L,0x0d85f792a5898bL,
        (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0,
        (sp_digit)0, (sp_digit)0
    },
    /* Z ordinate */
    {
        0x00000000000001L,0x00000000000000L,0x00000000000000L,0x00000000000000L,
        0x00000000000000L,0x00000000000000L,0x00000000000000L,
        (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0,
        (sp_digit)0, (sp_digit)0
    },
    /* infinity */
    0
};
#if defined(HAVE_ECC_CHECK_KEY) || defined(HAVE_COMP_KEY)
static const sp_digit p384_b[7] = {
    0x05c8edd3ec2aefL,0x731b145da33a55L,0x3d404e1d6b1958L,0x740a089018a044L,
    0x02d19181d9c6efL,0x7c9311c0ad7c7fL,0x2ccc4be9f88fb9L
};
#endif

#ifdef WOLFSSL_SP_SMALL
/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_384_mul_7(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    int i;
    int imax;
    int k;
    sp_uint128 c;
    sp_uint128 lo;

    c = ((sp_uint128)a[6]) * b[6];
    r[13] = (sp_digit)(c >> 55);
    c &= 0x7fffffffffffffL;
    for (k = 11; k >= 0; k--) {
        if (k >= 7) {
            i = k - 6;
            imax = 6;
        }
        else {
            i = 0;
            imax = k;
        }
        lo = 0;
        for (; i <= imax; i++) {
            lo += ((sp_uint128)a[i]) * b[k - i];
        }
        c += lo >> 55;
        r[k + 2] += (sp_digit)(c >> 55);
        r[k + 1]  = (sp_digit)(c & 0x7fffffffffffffL);
        c = lo & 0x7fffffffffffffL;
    }
    r[0] = (sp_digit)c;
}

#else
/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_384_mul_7(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    sp_int128 t0   = ((sp_int128)a[ 0]) * b[ 0];
    sp_int128 t1   = ((sp_int128)a[ 0]) * b[ 1]
                 + ((sp_int128)a[ 1]) * b[ 0];
    sp_int128 t2   = ((sp_int128)a[ 0]) * b[ 2]
                 + ((sp_int128)a[ 1]) * b[ 1]
                 + ((sp_int128)a[ 2]) * b[ 0];
    sp_int128 t3   = ((sp_int128)a[ 0]) * b[ 3]
                 + ((sp_int128)a[ 1]) * b[ 2]
                 + ((sp_int128)a[ 2]) * b[ 1]
                 + ((sp_int128)a[ 3]) * b[ 0];
    sp_int128 t4   = ((sp_int128)a[ 0]) * b[ 4]
                 + ((sp_int128)a[ 1]) * b[ 3]
                 + ((sp_int128)a[ 2]) * b[ 2]
                 + ((sp_int128)a[ 3]) * b[ 1]
                 + ((sp_int128)a[ 4]) * b[ 0];
    sp_int128 t5   = ((sp_int128)a[ 0]) * b[ 5]
                 + ((sp_int128)a[ 1]) * b[ 4]
                 + ((sp_int128)a[ 2]) * b[ 3]
                 + ((sp_int128)a[ 3]) * b[ 2]
                 + ((sp_int128)a[ 4]) * b[ 1]
                 + ((sp_int128)a[ 5]) * b[ 0];
    sp_int128 t6   = ((sp_int128)a[ 0]) * b[ 6]
                 + ((sp_int128)a[ 1]) * b[ 5]
                 + ((sp_int128)a[ 2]) * b[ 4]
                 + ((sp_int128)a[ 3]) * b[ 3]
                 + ((sp_int128)a[ 4]) * b[ 2]
                 + ((sp_int128)a[ 5]) * b[ 1]
                 + ((sp_int128)a[ 6]) * b[ 0];
    sp_int128 t7   = ((sp_int128)a[ 1]) * b[ 6]
                 + ((sp_int128)a[ 2]) * b[ 5]
                 + ((sp_int128)a[ 3]) * b[ 4]
                 + ((sp_int128)a[ 4]) * b[ 3]
                 + ((sp_int128)a[ 5]) * b[ 2]
                 + ((sp_int128)a[ 6]) * b[ 1];
    sp_int128 t8   = ((sp_int128)a[ 2]) * b[ 6]
                 + ((sp_int128)a[ 3]) * b[ 5]
                 + ((sp_int128)a[ 4]) * b[ 4]
                 + ((sp_int128)a[ 5]) * b[ 3]
                 + ((sp_int128)a[ 6]) * b[ 2];
    sp_int128 t9   = ((sp_int128)a[ 3]) * b[ 6]
                 + ((sp_int128)a[ 4]) * b[ 5]
                 + ((sp_int128)a[ 5]) * b[ 4]
                 + ((sp_int128)a[ 6]) * b[ 3];
    sp_int128 t10  = ((sp_int128)a[ 4]) * b[ 6]
                 + ((sp_int128)a[ 5]) * b[ 5]
                 + ((sp_int128)a[ 6]) * b[ 4];
    sp_int128 t11  = ((sp_int128)a[ 5]) * b[ 6]
                 + ((sp_int128)a[ 6]) * b[ 5];
    sp_int128 t12  = ((sp_int128)a[ 6]) * b[ 6];

    t1   += t0  >> 55; r[ 0] = t0  & 0x7fffffffffffffL;
    t2   += t1  >> 55; r[ 1] = t1  & 0x7fffffffffffffL;
    t3   += t2  >> 55; r[ 2] = t2  & 0x7fffffffffffffL;
    t4   += t3  >> 55; r[ 3] = t3  & 0x7fffffffffffffL;
    t5   += t4  >> 55; r[ 4] = t4  & 0x7fffffffffffffL;
    t6   += t5  >> 55; r[ 5] = t5  & 0x7fffffffffffffL;
    t7   += t6  >> 55; r[ 6] = t6  & 0x7fffffffffffffL;
    t8   += t7  >> 55; r[ 7] = t7  & 0x7fffffffffffffL;
    t9   += t8  >> 55; r[ 8] = t8  & 0x7fffffffffffffL;
    t10  += t9  >> 55; r[ 9] = t9  & 0x7fffffffffffffL;
    t11  += t10 >> 55; r[10] = t10 & 0x7fffffffffffffL;
    t12  += t11 >> 55; r[11] = t11 & 0x7fffffffffffffL;
    r[13] = (sp_digit)(t12 >> 55);
                       r[12] = t12 & 0x7fffffffffffffL;
}

#endif /* WOLFSSL_SP_SMALL */
#ifdef WOLFSSL_SP_SMALL
/* Square a and put result in r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_384_sqr_7(sp_digit* r, const sp_digit* a)
{
    int i;
    int imax;
    int k;
    sp_uint128 c;
    sp_uint128 t;

    c = ((sp_uint128)a[6]) * a[6];
    r[13] = (sp_digit)(c >> 55);
    c = (c & 0x7fffffffffffffL) << 55;
    for (k = 11; k >= 0; k--) {
        i = (k + 1) / 2;
        if ((k & 1) == 0) {
           c += ((sp_uint128)a[i]) * a[i];
           i++;
        }
        if (k < 6) {
            imax = k;
        }
        else {
            imax = 6;
        }
        t = 0;
        for (; i <= imax; i++) {
            t += ((sp_uint128)a[i]) * a[k - i];
        }
        c += t * 2;

        r[k + 2] += (sp_digit) (c >> 110);
        r[k + 1]  = (sp_digit)((c >> 55) & 0x7fffffffffffffL);
        c = (c & 0x7fffffffffffffL) << 55;
    }
    r[0] = (sp_digit)(c >> 55);
}

#else
/* Square a and put result in r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_384_sqr_7(sp_digit* r, const sp_digit* a)
{
    sp_int128 t0   =  ((sp_int128)a[ 0]) * a[ 0];
    sp_int128 t1   = (((sp_int128)a[ 0]) * a[ 1]) * 2;
    sp_int128 t2   = (((sp_int128)a[ 0]) * a[ 2]) * 2
                 +  ((sp_int128)a[ 1]) * a[ 1];
    sp_int128 t3   = (((sp_int128)a[ 0]) * a[ 3]
                 +  ((sp_int128)a[ 1]) * a[ 2]) * 2;
    sp_int128 t4   = (((sp_int128)a[ 0]) * a[ 4]
                 +  ((sp_int128)a[ 1]) * a[ 3]) * 2
                 +  ((sp_int128)a[ 2]) * a[ 2];
    sp_int128 t5   = (((sp_int128)a[ 0]) * a[ 5]
                 +  ((sp_int128)a[ 1]) * a[ 4]
                 +  ((sp_int128)a[ 2]) * a[ 3]) * 2;
    sp_int128 t6   = (((sp_int128)a[ 0]) * a[ 6]
                 +  ((sp_int128)a[ 1]) * a[ 5]
                 +  ((sp_int128)a[ 2]) * a[ 4]) * 2
                 +  ((sp_int128)a[ 3]) * a[ 3];
    sp_int128 t7   = (((sp_int128)a[ 1]) * a[ 6]
                 +  ((sp_int128)a[ 2]) * a[ 5]
                 +  ((sp_int128)a[ 3]) * a[ 4]) * 2;
    sp_int128 t8   = (((sp_int128)a[ 2]) * a[ 6]
                 +  ((sp_int128)a[ 3]) * a[ 5]) * 2
                 +  ((sp_int128)a[ 4]) * a[ 4];
    sp_int128 t9   = (((sp_int128)a[ 3]) * a[ 6]
                 +  ((sp_int128)a[ 4]) * a[ 5]) * 2;
    sp_int128 t10  = (((sp_int128)a[ 4]) * a[ 6]) * 2
                 +  ((sp_int128)a[ 5]) * a[ 5];
    sp_int128 t11  = (((sp_int128)a[ 5]) * a[ 6]) * 2;
    sp_int128 t12  =  ((sp_int128)a[ 6]) * a[ 6];

    t1   += t0  >> 55; r[ 0] = t0  & 0x7fffffffffffffL;
    t2   += t1  >> 55; r[ 1] = t1  & 0x7fffffffffffffL;
    t3   += t2  >> 55; r[ 2] = t2  & 0x7fffffffffffffL;
    t4   += t3  >> 55; r[ 3] = t3  & 0x7fffffffffffffL;
    t5   += t4  >> 55; r[ 4] = t4  & 0x7fffffffffffffL;
    t6   += t5  >> 55; r[ 5] = t5  & 0x7fffffffffffffL;
    t7   += t6  >> 55; r[ 6] = t6  & 0x7fffffffffffffL;
    t8   += t7  >> 55; r[ 7] = t7  & 0x7fffffffffffffL;
    t9   += t8  >> 55; r[ 8] = t8  & 0x7fffffffffffffL;
    t10  += t9  >> 55; r[ 9] = t9  & 0x7fffffffffffffL;
    t11  += t10 >> 55; r[10] = t10 & 0x7fffffffffffffL;
    t12  += t11 >> 55; r[11] = t11 & 0x7fffffffffffffL;
    r[13] = (sp_digit)(t12 >> 55);
                       r[12] = t12 & 0x7fffffffffffffL;
}

#endif /* WOLFSSL_SP_SMALL */
#ifdef WOLFSSL_SP_SMALL
/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_384_add_7(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 7; i++) {
        r[i] = a[i] + b[i];
    }

    return 0;
}
#else
/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_384_add_7(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    r[ 0] = a[ 0] + b[ 0];
    r[ 1] = a[ 1] + b[ 1];
    r[ 2] = a[ 2] + b[ 2];
    r[ 3] = a[ 3] + b[ 3];
    r[ 4] = a[ 4] + b[ 4];
    r[ 5] = a[ 5] + b[ 5];
    r[ 6] = a[ 6] + b[ 6];

    return 0;
}

#endif /* WOLFSSL_SP_SMALL */
#ifdef WOLFSSL_SP_SMALL
/* Sub b from a into r. (r = a - b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_384_sub_7(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 7; i++) {
        r[i] = a[i] - b[i];
    }

    return 0;
}

#else
/* Sub b from a into r. (r = a - b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_384_sub_7(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    r[ 0] = a[ 0] - b[ 0];
    r[ 1] = a[ 1] - b[ 1];
    r[ 2] = a[ 2] - b[ 2];
    r[ 3] = a[ 3] - b[ 3];
    r[ 4] = a[ 4] - b[ 4];
    r[ 5] = a[ 5] - b[ 5];
    r[ 6] = a[ 6] - b[ 6];

    return 0;
}

#endif /* WOLFSSL_SP_SMALL */
/* Convert an mp_int to an array of sp_digit.
 *
 * r  A single precision integer.
 * size  Maximum number of bytes to convert
 * a  A multi-precision integer.
 */
static void sp_384_from_mp(sp_digit* r, int size, const mp_int* a)
{
#if DIGIT_BIT == 55
    int i;
    sp_digit j = (sp_digit)0 - (sp_digit)a->used;
    int o = 0;

    for (i = 0; i < size; i++) {
        sp_digit mask = (sp_digit)0 - (j >> 54);
        r[i] = a->dp[o] & mask;
        j++;
        o += (int)(j >> 54);
    }
#elif DIGIT_BIT > 55
    unsigned int i;
    int j = 0;
    word32 s = 0;

    r[0] = 0;
    for (i = 0; i < (unsigned int)a->used && j < size; i++) {
        r[j] |= ((sp_digit)a->dp[i] << s);
        r[j] &= 0x7fffffffffffffL;
        s = 55U - s;
        if (j + 1 >= size) {
            break;
        }
        /* lint allow cast of mismatch word32 and mp_digit */
        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
        while ((s + 55U) <= (word32)DIGIT_BIT) {
            s += 55U;
            r[j] &= 0x7fffffffffffffL;
            if (j + 1 >= size) {
                break;
            }
            if (s < (word32)DIGIT_BIT) {
                /* lint allow cast of mismatch word32 and mp_digit */
                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
            }
            else {
                r[++j] = (sp_digit)0;
            }
        }
        s = (word32)DIGIT_BIT - s;
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
#else
    unsigned int i;
    int j = 0;
    int s = 0;

    r[0] = 0;
    for (i = 0; i < (unsigned int)a->used && j < size; i++) {
        r[j] |= ((sp_digit)a->dp[i]) << s;
        if (s + DIGIT_BIT >= 55) {
            r[j] &= 0x7fffffffffffffL;
            if (j + 1 >= size) {
                break;
            }
            s = 55 - s;
            if (s == DIGIT_BIT) {
                r[++j] = 0;
                s = 0;
            }
            else {
                r[++j] = a->dp[i] >> s;
                s = DIGIT_BIT - s;
            }
        }
        else {
            s += DIGIT_BIT;
        }
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
#endif
}

/* Convert a point of type ecc_point to type sp_point_384.
 *
 * p   Point of type sp_point_384 (result).
 * pm  Point of type ecc_point.
 */
static void sp_384_point_from_ecc_point_7(sp_point_384* p,
        const ecc_point* pm)
{
    XMEMSET(p->x, 0, sizeof(p->x));
    XMEMSET(p->y, 0, sizeof(p->y));
    XMEMSET(p->z, 0, sizeof(p->z));
    sp_384_from_mp(p->x, 7, pm->x);
    sp_384_from_mp(p->y, 7, pm->y);
    sp_384_from_mp(p->z, 7, pm->z);
    p->infinity = 0;
}

/* Convert an array of sp_digit to an mp_int.
 *
 * a  A single precision integer.
 * r  A multi-precision integer.
 */
static int sp_384_to_mp(const sp_digit* a, mp_int* r)
{
    int err;

    err = mp_grow(r, (384 + DIGIT_BIT - 1) / DIGIT_BIT);
    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
#if DIGIT_BIT == 55
        XMEMCPY(r->dp, a, sizeof(sp_digit) * 7);
        r->used = 7;
        mp_clamp(r);
#elif DIGIT_BIT < 55
        int i;
        int j = 0;
        int s = 0;

        r->dp[0] = 0;
        for (i = 0; i < 7; i++) {
            r->dp[j] |= (mp_digit)(a[i] << s);
            r->dp[j] &= ((sp_digit)1 << DIGIT_BIT) - 1;
            s = DIGIT_BIT - s;
            r->dp[++j] = (mp_digit)(a[i] >> s);
            while (s + DIGIT_BIT <= 55) {
                s += DIGIT_BIT;
                r->dp[j++] &= ((sp_digit)1 << DIGIT_BIT) - 1;
                if (s == SP_WORD_SIZE) {
                    r->dp[j] = 0;
                }
                else {
                    r->dp[j] = (mp_digit)(a[i] >> s);
                }
            }
            s = 55 - s;
        }
        r->used = (384 + DIGIT_BIT - 1) / DIGIT_BIT;
        mp_clamp(r);
#else
        int i;
        int j = 0;
        int s = 0;

        r->dp[0] = 0;
        for (i = 0; i < 7; i++) {
            r->dp[j] |= ((mp_digit)a[i]) << s;
            if (s + 55 >= DIGIT_BIT) {
    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
                r->dp[j] &= ((sp_digit)1 << DIGIT_BIT) - 1;
    #endif
                s = DIGIT_BIT - s;
                r->dp[++j] = a[i] >> s;
                s = 55 - s;
            }
            else {
                s += 55;
            }
        }
        r->used = (384 + DIGIT_BIT - 1) / DIGIT_BIT;
        mp_clamp(r);
#endif
    }

    return err;
}

/* Convert a point of type sp_point_384 to type ecc_point.
 *
 * p   Point of type sp_point_384.
 * pm  Point of type ecc_point (result).
 * returns MEMORY_E when allocation of memory in ecc_point fails otherwise
 * MP_OKAY.
 */
static int sp_384_point_to_ecc_point_7(const sp_point_384* p, ecc_point* pm)
{
    int err;

    err = sp_384_to_mp(p->x, pm->x);
    if (err == MP_OKAY) {
        err = sp_384_to_mp(p->y, pm->y);
    }
    if (err == MP_OKAY) {
        err = sp_384_to_mp(p->z, pm->z);
    }

    return err;
}

/* Compare a with b in constant time.
 *
 * a  A single precision integer.
 * b  A single precision integer.
 * return -ve, 0 or +ve if a is less than, equal to or greater than b
 * respectively.
 */
static sp_digit sp_384_cmp_7(const sp_digit* a, const sp_digit* b)
{
    sp_digit r = 0;
#ifdef WOLFSSL_SP_SMALL
    int i;

    for (i=6; i>=0; i--) {
        r |= (a[i] - b[i]) & ~(((sp_digit)0 - r) >> 54);
    }
#else
    r |= (a[ 6] - b[ 6]) & (0 - (sp_digit)1);
    r |= (a[ 5] - b[ 5]) & ~(((sp_digit)0 - r) >> 54);
    r |= (a[ 4] - b[ 4]) & ~(((sp_digit)0 - r) >> 54);
    r |= (a[ 3] - b[ 3]) & ~(((sp_digit)0 - r) >> 54);
    r |= (a[ 2] - b[ 2]) & ~(((sp_digit)0 - r) >> 54);
    r |= (a[ 1] - b[ 1]) & ~(((sp_digit)0 - r) >> 54);
    r |= (a[ 0] - b[ 0]) & ~(((sp_digit)0 - r) >> 54);
#endif /* WOLFSSL_SP_SMALL */

    return r;
}

/* Conditionally subtract b from a using the mask m.
 * m is -1 to subtract and 0 when not.
 *
 * r  A single precision number representing condition subtract result.
 * a  A single precision number to subtract from.
 * b  A single precision number to subtract.
 * m  Mask value to apply.
 */
static void sp_384_cond_sub_7(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
#ifdef WOLFSSL_SP_SMALL
    int i;

    for (i = 0; i < 7; i++) {
        r[i] = a[i] - (b[i] & m);
    }
#else
    r[ 0] = a[ 0] - (b[ 0] & m);
    r[ 1] = a[ 1] - (b[ 1] & m);
    r[ 2] = a[ 2] - (b[ 2] & m);
    r[ 3] = a[ 3] - (b[ 3] & m);
    r[ 4] = a[ 4] - (b[ 4] & m);
    r[ 5] = a[ 5] - (b[ 5] & m);
    r[ 6] = a[ 6] - (b[ 6] & m);
#endif /* WOLFSSL_SP_SMALL */
}

/* Mul a by scalar b and add into r. (r += a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_384_mul_add_7(sp_digit* r, const sp_digit* a,
        const sp_digit b)
{
#ifdef WOLFSSL_SP_SMALL
    sp_int128 tb = b;
    sp_int128 t[4];
    int i;

    t[0] = 0;
    for (i = 0; i < 4; i += 4) {
        t[0] += (tb * a[i+0]) + r[i+0];
        t[1]  = (tb * a[i+1]) + r[i+1];
        t[2]  = (tb * a[i+2]) + r[i+2];
        t[3]  = (tb * a[i+3]) + r[i+3];
        r[i+0] = t[0] & 0x7fffffffffffffL;
        t[1] += t[0] >> 55;
        r[i+1] = t[1] & 0x7fffffffffffffL;
        t[2] += t[1] >> 55;
        r[i+2] = t[2] & 0x7fffffffffffffL;
        t[3] += t[2] >> 55;
        r[i+3] = t[3] & 0x7fffffffffffffL;
        t[0]  = t[3] >> 55;
    }
    t[0] += (tb * a[4]) + r[4];
    t[1]  = (tb * a[5]) + r[5];
    t[2]  = (tb * a[6]) + r[6];
    r[4] = t[0] & 0x7fffffffffffffL;
    t[1] += t[0] >> 55;
    r[5] = t[1] & 0x7fffffffffffffL;
    t[2] += t[1] >> 55;
    r[6] = t[2] & 0x7fffffffffffffL;
    r[7] +=  (sp_digit)(t[2] >> 55);
#else
    sp_int128 tb = b;
    sp_int128 t[7];

    t[ 0] = tb * a[ 0];
    t[ 1] = tb * a[ 1];
    t[ 2] = tb * a[ 2];
    t[ 3] = tb * a[ 3];
    t[ 4] = tb * a[ 4];
    t[ 5] = tb * a[ 5];
    t[ 6] = tb * a[ 6];
    r[ 0] += (sp_digit)                 (t[ 0] & 0x7fffffffffffffL);
    r[ 1] += (sp_digit)((t[ 0] >> 55) + (t[ 1] & 0x7fffffffffffffL));
    r[ 2] += (sp_digit)((t[ 1] >> 55) + (t[ 2] & 0x7fffffffffffffL));
    r[ 3] += (sp_digit)((t[ 2] >> 55) + (t[ 3] & 0x7fffffffffffffL));
    r[ 4] += (sp_digit)((t[ 3] >> 55) + (t[ 4] & 0x7fffffffffffffL));
    r[ 5] += (sp_digit)((t[ 4] >> 55) + (t[ 5] & 0x7fffffffffffffL));
    r[ 6] += (sp_digit)((t[ 5] >> 55) + (t[ 6] & 0x7fffffffffffffL));
    r[ 7] += (sp_digit) (t[ 6] >> 55);
#endif /* WOLFSSL_SP_SMALL */
}

/* Normalize the values in each word to 55 bits.
 *
 * a  Array of sp_digit to normalize.
 */
static void sp_384_norm_7(sp_digit* a)
{
#ifdef WOLFSSL_SP_SMALL
    int i;
    for (i = 0; i < 6; i++) {
        a[i+1] += a[i] >> 55;
        a[i] &= 0x7fffffffffffffL;
    }
#else
    a[1] += a[0] >> 55; a[0] &= 0x7fffffffffffffL;
    a[2] += a[1] >> 55; a[1] &= 0x7fffffffffffffL;
    a[3] += a[2] >> 55; a[2] &= 0x7fffffffffffffL;
    a[4] += a[3] >> 55; a[3] &= 0x7fffffffffffffL;
    a[5] += a[4] >> 55; a[4] &= 0x7fffffffffffffL;
    a[6] += a[5] >> 55; a[5] &= 0x7fffffffffffffL;
#endif /* WOLFSSL_SP_SMALL */
}

/* Shift the result in the high 384 bits down to the bottom.
 *
 * r  A single precision number.
 * a  A single precision number.
 */
static void sp_384_mont_shift_7(sp_digit* r, const sp_digit* a)
{
#ifdef WOLFSSL_SP_SMALL
    int i;
    sp_uint64 n;

    n = a[6] >> 54;
    for (i = 0; i < 6; i++) {
        n += (sp_uint64)a[7 + i] << 1;
        r[i] = n & 0x7fffffffffffffL;
        n >>= 55;
    }
    n += (sp_uint64)a[13] << 1;
    r[6] = n;
#else
    sp_uint64 n;

    n  = a[6] >> 54;
    n += (sp_uint64)a[ 7] << 1U; r[ 0] = n & 0x7fffffffffffffUL; n >>= 55U;
    n += (sp_uint64)a[ 8] << 1U; r[ 1] = n & 0x7fffffffffffffUL; n >>= 55U;
    n += (sp_uint64)a[ 9] << 1U; r[ 2] = n & 0x7fffffffffffffUL; n >>= 55U;
    n += (sp_uint64)a[10] << 1U; r[ 3] = n & 0x7fffffffffffffUL; n >>= 55U;
    n += (sp_uint64)a[11] << 1U; r[ 4] = n & 0x7fffffffffffffUL; n >>= 55U;
    n += (sp_uint64)a[12] << 1U; r[ 5] = n & 0x7fffffffffffffUL; n >>= 55U;
    n += (sp_uint64)a[13] << 1U; r[ 6] = n;
#endif /* WOLFSSL_SP_SMALL */
    XMEMSET(&r[7], 0, sizeof(*r) * 7U);
}

/* Reduce the number back to 384 bits using Montgomery reduction.
 *
 * a   A single precision number to reduce in place.
 * m   The single precision number representing the modulus.
 * mp  The digit representing the negative inverse of m mod 2^n.
 */
static void sp_384_mont_reduce_order_7(sp_digit* a, const sp_digit* m, sp_digit mp)
{
    int i;
    sp_digit mu;
    sp_digit over;

    sp_384_norm_7(a + 7);

    for (i=0; i<6; i++) {
        mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x7fffffffffffffL;
        sp_384_mul_add_7(a+i, m, mu);
        a[i+1] += a[i] >> 55;
    }
    mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x3fffffffffffffL;
    sp_384_mul_add_7(a+i, m, mu);
    a[i+1] += a[i] >> 55;
    a[i] &= 0x7fffffffffffffL;
    sp_384_mont_shift_7(a, a);
    over = a[6] >> 54;
    sp_384_cond_sub_7(a, a, m, ~((over - 1) >> 63));
    sp_384_norm_7(a);
}

/* Reduce the number back to 384 bits using Montgomery reduction.
 *
 * a   A single precision number to reduce in place.
 * m   The single precision number representing the modulus.
 * mp  The digit representing the negative inverse of m mod 2^n.
 */
static void sp_384_mont_reduce_7(sp_digit* a, const sp_digit* m, sp_digit mp)
{
    int i;
    sp_digit am;

    (void)m;
    (void)mp;

    for (i = 0; i < 6; i++) {
        am = (a[i] * 0x100000001) & 0x7fffffffffffffL;
        a[i + 0] += (am << 32) & 0x7fffffffffffffL;
        a[i + 1] += (am >> 23) - ((am << 41) & 0x7fffffffffffffL);
        a[i + 2] += -(am >> 14) - ((am << 18) & 0x7fffffffffffffL);
        a[i + 3] += -(am >> 37);
        a[i + 6] += (am << 54) & 0x7fffffffffffffL;
        a[i + 7] += am >> 1;

        a[i + 1] += a[i] >> 55;
    }
    am = (a[6] * 0x100000001) & 0x3fffffffffffff;
    a[6 + 0] += (am << 32) & 0x7fffffffffffffL;
    a[6 + 1] += (am >> 23) - ((am << 41) & 0x7fffffffffffffL);
    a[6 + 2] += -(am >> 14) - ((am << 18) & 0x7fffffffffffffL);
    a[6 + 3] += -(am >> 37);
    a[6 + 6] += (am << 54) & 0x7fffffffffffffL;
    a[6 + 7] += am >> 1;

    a[0] = (a[6] >> 54) + ((a[7] << 1) & 0x7fffffffffffffL);
    a[1] = (a[7] >> 54) + ((a[8] << 1) & 0x7fffffffffffffL);
    a[2] = (a[8] >> 54) + ((a[9] << 1) & 0x7fffffffffffffL);
    a[3] = (a[9] >> 54) + ((a[10] << 1) & 0x7fffffffffffffL);
    a[4] = (a[10] >> 54) + ((a[11] << 1) & 0x7fffffffffffffL);
    a[5] = (a[11] >> 54) + ((a[12] << 1) & 0x7fffffffffffffL);
    a[6] = (a[12] >> 54) +  (a[13] << 1);

    a[1] += a[0] >> 55; a[0] &= 0x7fffffffffffffL;
    a[2] += a[1] >> 55; a[1] &= 0x7fffffffffffffL;
    a[3] += a[2] >> 55; a[2] &= 0x7fffffffffffffL;
    a[4] += a[3] >> 55; a[3] &= 0x7fffffffffffffL;
    a[5] += a[4] >> 55; a[4] &= 0x7fffffffffffffL;
    a[6] += a[5] >> 55; a[5] &= 0x7fffffffffffffL;

    /* Get the bit over, if any. */
    am = a[6] >> 54;
    /* Create mask. */
    am = 0 - am;

    a[0] -= 0x00000000ffffffffL & am;
    a[1] -= 0x007ffe0000000000L & am;
    a[2] -= 0x007ffffffffbffffL & am;
    a[3] -= 0x007fffffffffffffL & am;
    a[4] -= 0x007fffffffffffffL & am;
    a[5] -= 0x007fffffffffffffL & am;
    a[6] -= 0x003fffffffffffffL & am;

    a[1] += a[0] >> 55; a[0] &= 0x7fffffffffffffL;
    a[2] += a[1] >> 55; a[1] &= 0x7fffffffffffffL;
    a[3] += a[2] >> 55; a[2] &= 0x7fffffffffffffL;
    a[4] += a[3] >> 55; a[3] &= 0x7fffffffffffffL;
    a[5] += a[4] >> 55; a[4] &= 0x7fffffffffffffL;
    a[6] += a[5] >> 55; a[5] &= 0x7fffffffffffffL;
}

/* Multiply two Montgomery form numbers mod the modulus (prime).
 * (r = a * b mod m)
 *
 * r   Result of multiplication.
 * a   First number to multiply in Montgomery form.
 * b   Second number to multiply in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_384_mont_mul_7(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit* m, sp_digit mp)
{
    sp_384_mul_7(r, a, b);
    sp_384_mont_reduce_7(r, m, mp);
}

/* Square the Montgomery form number. (r = a * a mod m)
 *
 * r   Result of squaring.
 * a   Number to square in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_384_mont_sqr_7(sp_digit* r, const sp_digit* a,
        const sp_digit* m, sp_digit mp)
{
    sp_384_sqr_7(r, a);
    sp_384_mont_reduce_7(r, m, mp);
}

#if !defined(WOLFSSL_SP_SMALL) || defined(HAVE_COMP_KEY)
/* Square the Montgomery form number a number of times. (r = a ^ n mod m)
 *
 * r   Result of squaring.
 * a   Number to square in Montgomery form.
 * n   Number of times to square.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_384_mont_sqr_n_7(sp_digit* r,
    const sp_digit* a, int n, const sp_digit* m, sp_digit mp)
{
    sp_384_mont_sqr_7(r, a, m, mp);
    for (; n > 1; n--) {
        sp_384_mont_sqr_7(r, r, m, mp);
    }
}

#endif /* !WOLFSSL_SP_SMALL || HAVE_COMP_KEY */
#ifdef WOLFSSL_SP_SMALL
/* Mod-2 for the P384 curve. */
static const uint64_t p384_mod_minus_2[6] = {
    0x00000000fffffffdU,0xffffffff00000000U,0xfffffffffffffffeU,
    0xffffffffffffffffU,0xffffffffffffffffU,0xffffffffffffffffU
};
#endif /* !WOLFSSL_SP_SMALL */

/* Invert the number, in Montgomery form, modulo the modulus (prime) of the
 * P384 curve. (r = 1 / a mod m)
 *
 * r   Inverse result.
 * a   Number to invert.
 * td  Temporary data.
 */
static void sp_384_mont_inv_7(sp_digit* r, const sp_digit* a, sp_digit* td)
{
#ifdef WOLFSSL_SP_SMALL
    sp_digit* t = td;
    int i;

    XMEMCPY(t, a, sizeof(sp_digit) * 7);
    for (i=382; i>=0; i--) {
        sp_384_mont_sqr_7(t, t, p384_mod, p384_mp_mod);
        if (p384_mod_minus_2[i / 64] & ((sp_digit)1 << (i % 64)))
            sp_384_mont_mul_7(t, t, a, p384_mod, p384_mp_mod);
    }
    XMEMCPY(r, t, sizeof(sp_digit) * 7);
#else
    sp_digit* t1 = td;
    sp_digit* t2 = td + 2 * 7;
    sp_digit* t3 = td + 4 * 7;
    sp_digit* t4 = td + 6 * 7;
    sp_digit* t5 = td + 8 * 7;

    /* 0x2 */
    sp_384_mont_sqr_7(t1, a, p384_mod, p384_mp_mod);
    /* 0x3 */
    sp_384_mont_mul_7(t5, t1, a, p384_mod, p384_mp_mod);
    /* 0xc */
    sp_384_mont_sqr_n_7(t1, t5, 2, p384_mod, p384_mp_mod);
    /* 0xf */
    sp_384_mont_mul_7(t2, t5, t1, p384_mod, p384_mp_mod);
    /* 0x1e */
    sp_384_mont_sqr_7(t1, t2, p384_mod, p384_mp_mod);
    /* 0x1f */
    sp_384_mont_mul_7(t4, t1, a, p384_mod, p384_mp_mod);
    /* 0x3e0 */
    sp_384_mont_sqr_n_7(t1, t4, 5, p384_mod, p384_mp_mod);
    /* 0x3ff */
    sp_384_mont_mul_7(t2, t4, t1, p384_mod, p384_mp_mod);
    /* 0x7fe0 */
    sp_384_mont_sqr_n_7(t1, t2, 5, p384_mod, p384_mp_mod);
    /* 0x7fff */
    sp_384_mont_mul_7(t4, t4, t1, p384_mod, p384_mp_mod);
    /* 0x3fff8000 */
    sp_384_mont_sqr_n_7(t1, t4, 15, p384_mod, p384_mp_mod);
    /* 0x3fffffff */
    sp_384_mont_mul_7(t2, t4, t1, p384_mod, p384_mp_mod);
    /* 0xfffffffc */
    sp_384_mont_sqr_n_7(t3, t2, 2, p384_mod, p384_mp_mod);
    /* 0xfffffffd */
    sp_384_mont_mul_7(r, t3, a, p384_mod, p384_mp_mod);
    /* 0xffffffff */
    sp_384_mont_mul_7(t3, t5, t3, p384_mod, p384_mp_mod);
    /* 0xfffffffc0000000 */
    sp_384_mont_sqr_n_7(t1, t2, 30, p384_mod, p384_mp_mod);
    /* 0xfffffffffffffff */
    sp_384_mont_mul_7(t2, t2, t1, p384_mod, p384_mp_mod);
    /* 0xfffffffffffffff000000000000000 */
    sp_384_mont_sqr_n_7(t1, t2, 60, p384_mod, p384_mp_mod);
    /* 0xffffffffffffffffffffffffffffff */
    sp_384_mont_mul_7(t2, t2, t1, p384_mod, p384_mp_mod);
    /* 0xffffffffffffffffffffffffffffff000000000000000000000000000000 */
    sp_384_mont_sqr_n_7(t1, t2, 120, p384_mod, p384_mp_mod);
    /* 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
    sp_384_mont_mul_7(t2, t2, t1, p384_mod, p384_mp_mod);
    /* 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff8000 */
    sp_384_mont_sqr_n_7(t1, t2, 15, p384_mod, p384_mp_mod);
    /* 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
    sp_384_mont_mul_7(t2, t4, t1, p384_mod, p384_mp_mod);
    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe00000000 */
    sp_384_mont_sqr_n_7(t1, t2, 33, p384_mod, p384_mp_mod);
    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff */
    sp_384_mont_mul_7(t2, t3, t1, p384_mod, p384_mp_mod);
    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff000000000000000000000000 */
    sp_384_mont_sqr_n_7(t1, t2, 96, p384_mod, p384_mp_mod);
    /* 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffd */
    sp_384_mont_mul_7(r, r, t1, p384_mod, p384_mp_mod);

#endif /* WOLFSSL_SP_SMALL */
}

/* Map the Montgomery form projective coordinate point to an affine point.
 *
 * r  Resulting affine coordinate point.
 * p  Montgomery form projective coordinate point.
 * t  Temporary ordinate data.
 */
static void sp_384_map_7(sp_point_384* r, const sp_point_384* p,
    sp_digit* t)
{
    sp_digit* t1 = t;
    sp_digit* t2 = t + 2*7;
    sp_int64 n;

    sp_384_mont_inv_7(t1, p->z, t + 2*7);

    sp_384_mont_sqr_7(t2, t1, p384_mod, p384_mp_mod);
    sp_384_mont_mul_7(t1, t2, t1, p384_mod, p384_mp_mod);

    /* x /= z^2 */
    sp_384_mont_mul_7(r->x, p->x, t2, p384_mod, p384_mp_mod);
    XMEMSET(r->x + 7, 0, sizeof(sp_digit) * 7U);
    sp_384_mont_reduce_7(r->x, p384_mod, p384_mp_mod);
    /* Reduce x to less than modulus */
    n = sp_384_cmp_7(r->x, p384_mod);
    sp_384_cond_sub_7(r->x, r->x, p384_mod, ~(n >> 54));
    sp_384_norm_7(r->x);

    /* y /= z^3 */
    sp_384_mont_mul_7(r->y, p->y, t1, p384_mod, p384_mp_mod);
    XMEMSET(r->y + 7, 0, sizeof(sp_digit) * 7U);
    sp_384_mont_reduce_7(r->y, p384_mod, p384_mp_mod);
    /* Reduce y to less than modulus */
    n = sp_384_cmp_7(r->y, p384_mod);
    sp_384_cond_sub_7(r->y, r->y, p384_mod, ~(n >> 54));
    sp_384_norm_7(r->y);

    XMEMSET(r->z, 0, sizeof(r->z) / 2);
    r->z[0] = 1;
}

/* Add two Montgomery form numbers (r = a + b % m).
 *
 * r   Result of addition.
 * a   First number to add in Montgomery form.
 * b   Second number to add in Montgomery form.
 * m   Modulus (prime).
 */
static void sp_384_mont_add_7(sp_digit* r, const sp_digit* a, const sp_digit* b,
        const sp_digit* m)
{
    sp_digit over;
    (void)sp_384_add_7(r, a, b);
    sp_384_norm_7(r);
    over = r[6] >> 54;
    sp_384_cond_sub_7(r, r, m, ~((over - 1) >> 63));
    sp_384_norm_7(r);
}

/* Double a Montgomery form number (r = a + a % m).
 *
 * r   Result of doubling.
 * a   Number to double in Montgomery form.
 * m   Modulus (prime).
 */
static void sp_384_mont_dbl_7(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    sp_digit over;
    (void)sp_384_add_7(r, a, a);
    sp_384_norm_7(r);
    over = r[6] >> 54;
    sp_384_cond_sub_7(r, r, m, ~((over - 1) >> 63));
    sp_384_norm_7(r);
}

/* Triple a Montgomery form number (r = a + a + a % m).
 *
 * r   Result of Tripling.
 * a   Number to triple in Montgomery form.
 * m   Modulus (prime).
 */
static void sp_384_mont_tpl_7(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    sp_digit over;
    (void)sp_384_add_7(r, a, a);
    sp_384_norm_7(r);
    over = r[6] >> 54;
    sp_384_cond_sub_7(r, r, m, ~((over - 1) >> 63));
    sp_384_norm_7(r);
    (void)sp_384_add_7(r, r, a);
    sp_384_norm_7(r);
    over = r[6] >> 54;
    sp_384_cond_sub_7(r, r, m, ~((over - 1) >> 63));
    sp_384_norm_7(r);
}

#ifdef WOLFSSL_SP_SMALL
/* Conditionally add a and b using the mask m.
 * m is -1 to add and 0 when not.
 *
 * r  A single precision number representing conditional add result.
 * a  A single precision number to add with.
 * b  A single precision number to add.
 * m  Mask value to apply.
 */
static void sp_384_cond_add_7(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 7; i++) {
        r[i] = a[i] + (b[i] & m);
    }
}
#endif /* WOLFSSL_SP_SMALL */

#ifndef WOLFSSL_SP_SMALL
/* Conditionally add a and b using the mask m.
 * m is -1 to add and 0 when not.
 *
 * r  A single precision number representing conditional add result.
 * a  A single precision number to add with.
 * b  A single precision number to add.
 * m  Mask value to apply.
 */
static void sp_384_cond_add_7(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    r[ 0] = a[ 0] + (b[ 0] & m);
    r[ 1] = a[ 1] + (b[ 1] & m);
    r[ 2] = a[ 2] + (b[ 2] & m);
    r[ 3] = a[ 3] + (b[ 3] & m);
    r[ 4] = a[ 4] + (b[ 4] & m);
    r[ 5] = a[ 5] + (b[ 5] & m);
    r[ 6] = a[ 6] + (b[ 6] & m);
}
#endif /* !WOLFSSL_SP_SMALL */

/* Subtract two Montgomery form numbers (r = a - b % m).
 *
 * r   Result of subtration.
 * a   Number to subtract from in Montgomery form.
 * b   Number to subtract with in Montgomery form.
 * m   Modulus (prime).
 */
static void sp_384_mont_sub_7(sp_digit* r, const sp_digit* a, const sp_digit* b,
        const sp_digit* m)
{
    (void)sp_384_sub_7(r, a, b);
    sp_384_norm_7(r);
    sp_384_cond_add_7(r, r, m, r[6] >> 54);
    sp_384_norm_7(r);
}

/* Shift number left one bit.
 * Bottom bit is lost.
 *
 * r  Result of shift.
 * a  Number to shift.
 */
SP_NOINLINE static void sp_384_rshift1_7(sp_digit* r, const sp_digit* a)
{
#ifdef WOLFSSL_SP_SMALL
    int i;

    for (i=0; i<6; i++) {
        r[i] = (a[i] >> 1) + ((a[i + 1] << 54) & 0x7fffffffffffffL);
    }
#else
    r[0] = (a[0] >> 1) + ((a[1] << 54) & 0x7fffffffffffffL);
    r[1] = (a[1] >> 1) + ((a[2] << 54) & 0x7fffffffffffffL);
    r[2] = (a[2] >> 1) + ((a[3] << 54) & 0x7fffffffffffffL);
    r[3] = (a[3] >> 1) + ((a[4] << 54) & 0x7fffffffffffffL);
    r[4] = (a[4] >> 1) + ((a[5] << 54) & 0x7fffffffffffffL);
    r[5] = (a[5] >> 1) + ((a[6] << 54) & 0x7fffffffffffffL);
#endif
    r[6] = a[6] >> 1;
}

/* Divide the number by 2 mod the modulus (prime). (r = a / 2 % m)
 *
 * r  Result of division by 2.
 * a  Number to divide.
 * m  Modulus (prime).
 */
static void sp_384_mont_div2_7(sp_digit* r, const sp_digit* a,
        const sp_digit* m)
{
    sp_384_cond_add_7(r, a, m, 0 - (a[0] & 1));
    sp_384_norm_7(r);
    sp_384_rshift1_7(r, r);
}

/* Double the Montgomery form projective point p.
 *
 * r  Result of doubling point.
 * p  Point to double.
 * t  Temporary ordinate data.
 */
static void sp_384_proj_point_dbl_7(sp_point_384* r, const sp_point_384* p,
    sp_digit* t)
{
    sp_digit* t1 = t;
    sp_digit* t2 = t + 2*7;
    sp_digit* x;
    sp_digit* y;
    sp_digit* z;

    x = r->x;
    y = r->y;
    z = r->z;
    /* Put infinity into result. */
    if (r != p) {
        r->infinity = p->infinity;
    }

    /* T1 = Z * Z */
    sp_384_mont_sqr_7(t1, p->z, p384_mod, p384_mp_mod);
    /* Z = Y * Z */
    sp_384_mont_mul_7(z, p->y, p->z, p384_mod, p384_mp_mod);
    /* Z = 2Z */
    sp_384_mont_dbl_7(z, z, p384_mod);
    /* T2 = X - T1 */
    sp_384_mont_sub_7(t2, p->x, t1, p384_mod);
    /* T1 = X + T1 */
    sp_384_mont_add_7(t1, p->x, t1, p384_mod);
    /* T2 = T1 * T2 */
    sp_384_mont_mul_7(t2, t1, t2, p384_mod, p384_mp_mod);
    /* T1 = 3T2 */
    sp_384_mont_tpl_7(t1, t2, p384_mod);
    /* Y = 2Y */
    sp_384_mont_dbl_7(y, p->y, p384_mod);
    /* Y = Y * Y */
    sp_384_mont_sqr_7(y, y, p384_mod, p384_mp_mod);
    /* T2 = Y * Y */
    sp_384_mont_sqr_7(t2, y, p384_mod, p384_mp_mod);
    /* T2 = T2/2 */
    sp_384_mont_div2_7(t2, t2, p384_mod);
    /* Y = Y * X */
    sp_384_mont_mul_7(y, y, p->x, p384_mod, p384_mp_mod);
    /* X = T1 * T1 */
    sp_384_mont_sqr_7(x, t1, p384_mod, p384_mp_mod);
    /* X = X - Y */
    sp_384_mont_sub_7(x, x, y, p384_mod);
    /* X = X - Y */
    sp_384_mont_sub_7(x, x, y, p384_mod);
    /* Y = Y - X */
    sp_384_mont_sub_7(y, y, x, p384_mod);
    /* Y = Y * T1 */
    sp_384_mont_mul_7(y, y, t1, p384_mod, p384_mp_mod);
    /* Y = Y - T2 */
    sp_384_mont_sub_7(y, y, t2, p384_mod);
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_384_proj_point_dbl_7_ctx {
    int state;
    sp_digit* t1;
    sp_digit* t2;
    sp_digit* x;
    sp_digit* y;
    sp_digit* z;
} sp_384_proj_point_dbl_7_ctx;

/* Double the Montgomery form projective point p.
 *
 * r  Result of doubling point.
 * p  Point to double.
 * t  Temporary ordinate data.
 */
static int sp_384_proj_point_dbl_7_nb(sp_ecc_ctx_t* sp_ctx, sp_point_384* r,
        const sp_point_384* p, sp_digit* t)
{
    int err = FP_WOULDBLOCK;
    sp_384_proj_point_dbl_7_ctx* ctx = (sp_384_proj_point_dbl_7_ctx*)sp_ctx->data;

    typedef char ctx_size_test[sizeof(sp_384_proj_point_dbl_7_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    switch (ctx->state) {
    case 0:
        ctx->t1 = t;
        ctx->t2 = t + 2*7;
        ctx->x = r->x;
        ctx->y = r->y;
        ctx->z = r->z;

        /* Put infinity into result. */
        if (r != p) {
            r->infinity = p->infinity;
        }
        ctx->state = 1;
        break;
    case 1:
        /* T1 = Z * Z */
        sp_384_mont_sqr_7(ctx->t1, p->z, p384_mod, p384_mp_mod);
        ctx->state = 2;
        break;
    case 2:
        /* Z = Y * Z */
        sp_384_mont_mul_7(ctx->z, p->y, p->z, p384_mod, p384_mp_mod);
        ctx->state = 3;
        break;
    case 3:
        /* Z = 2Z */
        sp_384_mont_dbl_7(ctx->z, ctx->z, p384_mod);
        ctx->state = 4;
        break;
    case 4:
        /* T2 = X - T1 */
        sp_384_mont_sub_7(ctx->t2, p->x, ctx->t1, p384_mod);
        ctx->state = 5;
        break;
    case 5:
        /* T1 = X + T1 */
        sp_384_mont_add_7(ctx->t1, p->x, ctx->t1, p384_mod);
        ctx->state = 6;
        break;
    case 6:
        /* T2 = T1 * T2 */
        sp_384_mont_mul_7(ctx->t2, ctx->t1, ctx->t2, p384_mod, p384_mp_mod);
        ctx->state = 7;
        break;
    case 7:
        /* T1 = 3T2 */
        sp_384_mont_tpl_7(ctx->t1, ctx->t2, p384_mod);
        ctx->state = 8;
        break;
    case 8:
        /* Y = 2Y */
        sp_384_mont_dbl_7(ctx->y, p->y, p384_mod);
        ctx->state = 9;
        break;
    case 9:
        /* Y = Y * Y */
        sp_384_mont_sqr_7(ctx->y, ctx->y, p384_mod, p384_mp_mod);
        ctx->state = 10;
        break;
    case 10:
        /* T2 = Y * Y */
        sp_384_mont_sqr_7(ctx->t2, ctx->y, p384_mod, p384_mp_mod);
        ctx->state = 11;
        break;
    case 11:
        /* T2 = T2/2 */
        sp_384_mont_div2_7(ctx->t2, ctx->t2, p384_mod);
        ctx->state = 12;
        break;
    case 12:
        /* Y = Y * X */
        sp_384_mont_mul_7(ctx->y, ctx->y, p->x, p384_mod, p384_mp_mod);
        ctx->state = 13;
        break;
    case 13:
        /* X = T1 * T1 */
        sp_384_mont_sqr_7(ctx->x, ctx->t1, p384_mod, p384_mp_mod);
        ctx->state = 14;
        break;
    case 14:
        /* X = X - Y */
        sp_384_mont_sub_7(ctx->x, ctx->x, ctx->y, p384_mod);
        ctx->state = 15;
        break;
    case 15:
        /* X = X - Y */
        sp_384_mont_sub_7(ctx->x, ctx->x, ctx->y, p384_mod);
        ctx->state = 16;
        break;
    case 16:
        /* Y = Y - X */
        sp_384_mont_sub_7(ctx->y, ctx->y, ctx->x, p384_mod);
        ctx->state = 17;
        break;
    case 17:
        /* Y = Y * T1 */
        sp_384_mont_mul_7(ctx->y, ctx->y, ctx->t1, p384_mod, p384_mp_mod);
        ctx->state = 18;
        break;
    case 18:
        /* Y = Y - T2 */
        sp_384_mont_sub_7(ctx->y, ctx->y, ctx->t2, p384_mod);
        ctx->state = 19;
        /* fall-through */
    case 19:
        err = MP_OKAY;
        break;
    }

    if (err == MP_OKAY && ctx->state != 19) {
        err = FP_WOULDBLOCK;
    }

    return err;
}
#endif /* WOLFSSL_SP_NONBLOCK */
/* Compare two numbers to determine if they are equal.
 * Constant time implementation.
 *
 * a  First number to compare.
 * b  Second number to compare.
 * returns 1 when equal and 0 otherwise.
 */
static int sp_384_cmp_equal_7(const sp_digit* a, const sp_digit* b)
{
    return ((a[0] ^ b[0]) | (a[1] ^ b[1]) | (a[2] ^ b[2]) |
            (a[3] ^ b[3]) | (a[4] ^ b[4]) | (a[5] ^ b[5]) |
            (a[6] ^ b[6])) == 0;
}

/* Returns 1 if the number of zero.
 * Implementation is constant time.
 *
 * a  Number to check.
 * returns 1 if the number is zero and 0 otherwise.
 */
static int sp_384_iszero_7(const sp_digit* a)
{
    return (a[0] | a[1] | a[2] | a[3] | a[4] | a[5] | a[6]) == 0;
}


/* Add two Montgomery form projective points.
 *
 * r  Result of addition.
 * p  First point to add.
 * q  Second point to add.
 * t  Temporary ordinate data.
 */
static void sp_384_proj_point_add_7(sp_point_384* r,
        const sp_point_384* p, const sp_point_384* q, sp_digit* t)
{
    sp_digit* t6 = t;
    sp_digit* t1 = t + 2*7;
    sp_digit* t2 = t + 4*7;
    sp_digit* t3 = t + 6*7;
    sp_digit* t4 = t + 8*7;
    sp_digit* t5 = t + 10*7;

    /* U1 = X1*Z2^2 */
    sp_384_mont_sqr_7(t1, q->z, p384_mod, p384_mp_mod);
    sp_384_mont_mul_7(t3, t1, q->z, p384_mod, p384_mp_mod);
    sp_384_mont_mul_7(t1, t1, p->x, p384_mod, p384_mp_mod);
    /* U2 = X2*Z1^2 */
    sp_384_mont_sqr_7(t2, p->z, p384_mod, p384_mp_mod);
    sp_384_mont_mul_7(t4, t2, p->z, p384_mod, p384_mp_mod);
    sp_384_mont_mul_7(t2, t2, q->x, p384_mod, p384_mp_mod);
    /* S1 = Y1*Z2^3 */
    sp_384_mont_mul_7(t3, t3, p->y, p384_mod, p384_mp_mod);
    /* S2 = Y2*Z1^3 */
    sp_384_mont_mul_7(t4, t4, q->y, p384_mod, p384_mp_mod);

    /* Check double */
    if ((~p->infinity) & (~q->infinity) &
            sp_384_cmp_equal_7(t2, t1) &
            sp_384_cmp_equal_7(t4, t3)) {
        sp_384_proj_point_dbl_7(r, p, t);
    }
    else {
        sp_digit* x = t6;
        sp_digit* y = t1;
        sp_digit* z = t2;

        /* H = U2 - U1 */
        sp_384_mont_sub_7(t2, t2, t1, p384_mod);
        /* R = S2 - S1 */
        sp_384_mont_sub_7(t4, t4, t3, p384_mod);
        /* X3 = R^2 - H^3 - 2*U1*H^2 */
        sp_384_mont_sqr_7(t5, t2, p384_mod, p384_mp_mod);
        sp_384_mont_mul_7(y, t1, t5, p384_mod, p384_mp_mod);
        sp_384_mont_mul_7(t5, t5, t2, p384_mod, p384_mp_mod);
        /* Z3 = H*Z1*Z2 */
        sp_384_mont_mul_7(z, p->z, t2, p384_mod, p384_mp_mod);
        sp_384_mont_mul_7(z, z, q->z, p384_mod, p384_mp_mod);
        sp_384_mont_sqr_7(x, t4, p384_mod, p384_mp_mod);
        sp_384_mont_sub_7(x, x, t5, p384_mod);
        sp_384_mont_mul_7(t5, t5, t3, p384_mod, p384_mp_mod);
        sp_384_mont_dbl_7(t3, y, p384_mod);
        sp_384_mont_sub_7(x, x, t3, p384_mod);
        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
        sp_384_mont_sub_7(y, y, x, p384_mod);
        sp_384_mont_mul_7(y, y, t4, p384_mod, p384_mp_mod);
        sp_384_mont_sub_7(y, y, t5, p384_mod);
        {
            int i;
            sp_digit maskp = 0 - (q->infinity & (!p->infinity));
            sp_digit maskq = 0 - (p->infinity & (!q->infinity));
            sp_digit maskt = ~(maskp | maskq);
            sp_digit inf = (sp_digit)(p->infinity & q->infinity);

            for (i = 0; i < 7; i++) {
                r->x[i] = (p->x[i] & maskp) | (q->x[i] & maskq) |
                          (x[i] & maskt);
            }
            for (i = 0; i < 7; i++) {
                r->y[i] = (p->y[i] & maskp) | (q->y[i] & maskq) |
                          (y[i] & maskt);
            }
            for (i = 0; i < 7; i++) {
                r->z[i] = (p->z[i] & maskp) | (q->z[i] & maskq) |
                          (z[i] & maskt);
            }
            r->z[0] |= inf;
            r->infinity = (word32)inf;
        }
    }
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_384_proj_point_add_7_ctx {
    int state;
    sp_384_proj_point_dbl_7_ctx dbl_ctx;
    const sp_point_384* ap[2];
    sp_point_384* rp[2];
    sp_digit* t1;
    sp_digit* t2;
    sp_digit* t3;
    sp_digit* t4;
    sp_digit* t5;
    sp_digit* t6;
    sp_digit* x;
    sp_digit* y;
    sp_digit* z;
} sp_384_proj_point_add_7_ctx;

/* Add two Montgomery form projective points.
 *
 * r  Result of addition.
 * p  First point to add.
 * q  Second point to add.
 * t  Temporary ordinate data.
 */
static int sp_384_proj_point_add_7_nb(sp_ecc_ctx_t* sp_ctx, sp_point_384* r,
    const sp_point_384* p, const sp_point_384* q, sp_digit* t)
{
    int err = FP_WOULDBLOCK;
    sp_384_proj_point_add_7_ctx* ctx = (sp_384_proj_point_add_7_ctx*)sp_ctx->data;

    /* Ensure only the first point is the same as the result. */
    if (q == r) {
        const sp_point_384* a = p;
        p = q;
        q = a;
    }

    typedef char ctx_size_test[sizeof(sp_384_proj_point_add_7_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    switch (ctx->state) {
    case 0: /* INIT */
        ctx->t6 = t;
        ctx->t1 = t + 2*7;
        ctx->t2 = t + 4*7;
        ctx->t3 = t + 6*7;
        ctx->t4 = t + 8*7;
        ctx->t5 = t + 10*7;
        ctx->x = ctx->t6;
        ctx->y = ctx->t1;
        ctx->z = ctx->t2;

        ctx->state = 1;
        break;
    case 1:
        /* U1 = X1*Z2^2 */
        sp_384_mont_sqr_7(ctx->t1, q->z, p384_mod, p384_mp_mod);
        ctx->state = 2;
        break;
    case 2:
        sp_384_mont_mul_7(ctx->t3, ctx->t1, q->z, p384_mod, p384_mp_mod);
        ctx->state = 3;
        break;
    case 3:
        sp_384_mont_mul_7(ctx->t1, ctx->t1, p->x, p384_mod, p384_mp_mod);
        ctx->state = 4;
        break;
    case 4:
        /* U2 = X2*Z1^2 */
        sp_384_mont_sqr_7(ctx->t2, p->z, p384_mod, p384_mp_mod);
        ctx->state = 5;
        break;
    case 5:
        sp_384_mont_mul_7(ctx->t4, ctx->t2, p->z, p384_mod, p384_mp_mod);
        ctx->state = 6;
        break;
    case 6:
        sp_384_mont_mul_7(ctx->t2, ctx->t2, q->x, p384_mod, p384_mp_mod);
        ctx->state = 7;
        break;
    case 7:
        /* S1 = Y1*Z2^3 */
        sp_384_mont_mul_7(ctx->t3, ctx->t3, p->y, p384_mod, p384_mp_mod);
        ctx->state = 8;
        break;
    case 8:
        /* S2 = Y2*Z1^3 */
        sp_384_mont_mul_7(ctx->t4, ctx->t4, q->y, p384_mod, p384_mp_mod);
        ctx->state = 9;
        break;
    case 9:
        /* Check double */
        if ((~p->infinity) & (~q->infinity) &
                sp_384_cmp_equal_7(ctx->t2, ctx->t1) &
                sp_384_cmp_equal_7(ctx->t4, ctx->t3)) {
            XMEMSET(&ctx->dbl_ctx, 0, sizeof(ctx->dbl_ctx));
            sp_384_proj_point_dbl_7(r, p, t);
            ctx->state = 25;
        }
        else {
            ctx->state = 10;
        }
        break;
    case 10:
        /* H = U2 - U1 */
        sp_384_mont_sub_7(ctx->t2, ctx->t2, ctx->t1, p384_mod);
        ctx->state = 11;
        break;
    case 11:
        /* R = S2 - S1 */
        sp_384_mont_sub_7(ctx->t4, ctx->t4, ctx->t3, p384_mod);
        ctx->state = 12;
        break;
    case 12:
        /* X3 = R^2 - H^3 - 2*U1*H^2 */
        sp_384_mont_sqr_7(ctx->t5, ctx->t2, p384_mod, p384_mp_mod);
        ctx->state = 13;
        break;
    case 13:
        sp_384_mont_mul_7(ctx->y, ctx->t1, ctx->t5, p384_mod, p384_mp_mod);
        ctx->state = 14;
        break;
    case 14:
        sp_384_mont_mul_7(ctx->t5, ctx->t5, ctx->t2, p384_mod, p384_mp_mod);
        ctx->state = 15;
        break;
    case 15:
        /* Z3 = H*Z1*Z2 */
        sp_384_mont_mul_7(ctx->z, p->z, ctx->t2, p384_mod, p384_mp_mod);
        ctx->state = 16;
        break;
    case 16:
        sp_384_mont_mul_7(ctx->z, ctx->z, q->z, p384_mod, p384_mp_mod);
        ctx->state = 17;
        break;
    case 17:
        sp_384_mont_sqr_7(ctx->x, ctx->t4, p384_mod, p384_mp_mod);
        ctx->state = 18;
        break;
    case 18:
        sp_384_mont_sub_7(ctx->x, ctx->x, ctx->t5, p384_mod);
        ctx->state = 19;
        break;
    case 19:
        sp_384_mont_mul_7(ctx->t5, ctx->t5, ctx->t3, p384_mod, p384_mp_mod);
        ctx->state = 20;
        break;
    case 20:
        sp_384_mont_dbl_7(ctx->t3, ctx->y, p384_mod);
        sp_384_mont_sub_7(ctx->x, ctx->x, ctx->t3, p384_mod);
        ctx->state = 21;
        break;
    case 21:
        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
        sp_384_mont_sub_7(ctx->y, ctx->y, ctx->x, p384_mod);
        ctx->state = 22;
        break;
    case 22:
        sp_384_mont_mul_7(ctx->y, ctx->y, ctx->t4, p384_mod, p384_mp_mod);
        ctx->state = 23;
        break;
    case 23:
        sp_384_mont_sub_7(ctx->y, ctx->y, ctx->t5, p384_mod);
        ctx->state = 24;
        break;
    case 24:
    {
        {
            int i;
            sp_digit maskp = 0 - (q->infinity & (!p->infinity));
            sp_digit maskq = 0 - (p->infinity & (!q->infinity));
            sp_digit maskt = ~(maskp | maskq);
            sp_digit inf = (sp_digit)(p->infinity & q->infinity);

            for (i = 0; i < 7; i++) {
                r->x[i] = (p->x[i] & maskp) | (q->x[i] & maskq) |
                          (ctx->x[i] & maskt);
            }
            for (i = 0; i < 7; i++) {
                r->y[i] = (p->y[i] & maskp) | (q->y[i] & maskq) |
                          (ctx->y[i] & maskt);
            }
            for (i = 0; i < 7; i++) {
                r->z[i] = (p->z[i] & maskp) | (q->z[i] & maskq) |
                          (ctx->z[i] & maskt);
            }
            r->z[0] |= inf;
            r->infinity = (word32)inf;
        }
        ctx->state = 25;
        break;
    }
    case 25:
        err = MP_OKAY;
        break;
    }

    if (err == MP_OKAY && ctx->state != 25) {
        err = FP_WOULDBLOCK;
    }
    return err;
}
#endif /* WOLFSSL_SP_NONBLOCK */

/* Multiply a number by Montgomery normalizer mod modulus (prime).
 *
 * r  The resulting Montgomery form number.
 * a  The number to convert.
 * m  The modulus (prime).
 * returns MEMORY_E when memory allocation fails and MP_OKAY otherwise.
 */
static int sp_384_mod_mul_norm_7(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    int64_t* t = NULL;
#else
    int64_t t[2 * 12];
#endif
    int64_t* a32 = NULL;
    int64_t o;
    int err = MP_OKAY;

    (void)m;

#ifdef WOLFSSL_SP_SMALL_STACK
    t = (int64_t*)XMALLOC(sizeof(int64_t) * 2 * 12, NULL, DYNAMIC_TYPE_ECC);
    if (t == NULL)
        err = MEMORY_E;
#endif

    if (err == MP_OKAY) {
        a32 = t + 12;

        a32[0] = (sp_digit)(a[0]) & 0xffffffffL;
        a32[1] = (sp_digit)(a[0] >> 32U);
        a32[1] |= (sp_digit)(a[1] << 23U);
        a32[1] &= 0xffffffffL;
        a32[2] = (sp_digit)(a[1] >> 9U) & 0xffffffffL;
        a32[3] = (sp_digit)(a[1] >> 41U);
        a32[3] |= (sp_digit)(a[2] << 14U);
        a32[3] &= 0xffffffffL;
        a32[4] = (sp_digit)(a[2] >> 18U) & 0xffffffffL;
        a32[5] = (sp_digit)(a[2] >> 50U);
        a32[5] |= (sp_digit)(a[3] << 5U);
        a32[5] &= 0xffffffffL;
        a32[6] = (sp_digit)(a[3] >> 27U);
        a32[6] |= (sp_digit)(a[4] << 28U);
        a32[6] &= 0xffffffffL;
        a32[7] = (sp_digit)(a[4] >> 4U) & 0xffffffffL;
        a32[8] = (sp_digit)(a[4] >> 36U);
        a32[8] |= (sp_digit)(a[5] << 19U);
        a32[8] &= 0xffffffffL;
        a32[9] = (sp_digit)(a[5] >> 13U) & 0xffffffffL;
        a32[10] = (sp_digit)(a[5] >> 45U);
        a32[10] |= (sp_digit)(a[6] << 10U);
        a32[10] &= 0xffffffffL;
        a32[11] = (sp_digit)(a[6] >> 22U) & 0xffffffffL;

        /*  1  0  0  0  0  0  0  0  1  1  0 -1 */
        t[0] = 0 + a32[0] + a32[8] + a32[9] - a32[11];
        /* -1  1  0  0  0  0  0  0 -1  0  1  1 */
        t[1] = 0 - a32[0] + a32[1] - a32[8] + a32[10] + a32[11];
        /*  0 -1  1  0  0  0  0  0  0 -1  0  1 */
        t[2] = 0 - a32[1] + a32[2] - a32[9] + a32[11];
        /*  1  0 -1  1  0  0  0  0  1  1 -1 -1 */
        t[3] = 0 + a32[0] - a32[2] + a32[3] + a32[8] + a32[9] - a32[10] - a32[11];
        /*  1  1  0 -1  1  0  0  0  1  2  1 -2 */
        t[4] = 0 + a32[0] + a32[1] - a32[3] + a32[4] + a32[8] + 2 * a32[9] + a32[10] -  2 * a32[11];
        /*  0  1  1  0 -1  1  0  0  0  1  2  1 */
        t[5] = 0 + a32[1] + a32[2] - a32[4] + a32[5] + a32[9] + 2 * a32[10] + a32[11];
        /*  0  0  1  1  0 -1  1  0  0  0  1  2 */
        t[6] = 0 + a32[2] + a32[3] - a32[5] + a32[6] + a32[10] + 2 * a32[11];
        /*  0  0  0  1  1  0 -1  1  0  0  0  1 */
        t[7] = 0 + a32[3] + a32[4] - a32[6] + a32[7] + a32[11];
        /*  0  0  0  0  1  1  0 -1  1  0  0  0 */
        t[8] = 0 + a32[4] + a32[5] - a32[7] + a32[8];
        /*  0  0  0  0  0  1  1  0 -1  1  0  0 */
        t[9] = 0 + a32[5] + a32[6] - a32[8] + a32[9];
        /*  0  0  0  0  0  0  1  1  0 -1  1  0 */
        t[10] = 0 + a32[6] + a32[7] - a32[9] + a32[10];
        /*  0  0  0  0  0  0  0  1  1  0 -1  1 */
        t[11] = 0 + a32[7] + a32[8] - a32[10] + a32[11];

        t[1] += t[0] >> 32; t[0] &= 0xffffffff;
        t[2] += t[1] >> 32; t[1] &= 0xffffffff;
        t[3] += t[2] >> 32; t[2] &= 0xffffffff;
        t[4] += t[3] >> 32; t[3] &= 0xffffffff;
        t[5] += t[4] >> 32; t[4] &= 0xffffffff;
        t[6] += t[5] >> 32; t[5] &= 0xffffffff;
        t[7] += t[6] >> 32; t[6] &= 0xffffffff;
        t[8] += t[7] >> 32; t[7] &= 0xffffffff;
        t[9] += t[8] >> 32; t[8] &= 0xffffffff;
        t[10] += t[9] >> 32; t[9] &= 0xffffffff;
        t[11] += t[10] >> 32; t[10] &= 0xffffffff;
        o     = t[11] >> 32; t[11] &= 0xffffffff;
        t[0] += o;
        t[1] -= o;
        t[3] += o;
        t[4] += o;
        t[1] += t[0] >> 32; t[0] &= 0xffffffff;
        t[2] += t[1] >> 32; t[1] &= 0xffffffff;
        t[3] += t[2] >> 32; t[2] &= 0xffffffff;
        t[4] += t[3] >> 32; t[3] &= 0xffffffff;
        t[5] += t[4] >> 32; t[4] &= 0xffffffff;
        t[6] += t[5] >> 32; t[5] &= 0xffffffff;
        t[7] += t[6] >> 32; t[6] &= 0xffffffff;
        t[8] += t[7] >> 32; t[7] &= 0xffffffff;
        t[9] += t[8] >> 32; t[8] &= 0xffffffff;
        t[10] += t[9] >> 32; t[9] &= 0xffffffff;
        t[11] += t[10] >> 32; t[10] &= 0xffffffff;

        r[0] = t[0];
        r[0] |= t[1] << 32U;
        r[0] &= 0x7fffffffffffffLL;
        r[1] = (t[1] >> 23);
        r[1] |= t[2] << 9U;
        r[1] |= t[3] << 41U;
        r[1] &= 0x7fffffffffffffLL;
        r[2] = (t[3] >> 14);
        r[2] |= t[4] << 18U;
        r[2] |= t[5] << 50U;
        r[2] &= 0x7fffffffffffffLL;
        r[3] = (t[5] >> 5);
        r[3] |= t[6] << 27U;
        r[3] &= 0x7fffffffffffffLL;
        r[4] = (t[6] >> 28);
        r[4] |= t[7] << 4U;
        r[4] |= t[8] << 36U;
        r[4] &= 0x7fffffffffffffLL;
        r[5] = (t[8] >> 19);
        r[5] |= t[9] << 13U;
        r[5] |= t[10] << 45U;
        r[5] &= 0x7fffffffffffffLL;
        r[6] = (t[10] >> 10);
        r[6] |= t[11] << 22U;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t != NULL)
        XFREE(t, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#ifdef WOLFSSL_SP_SMALL
/* Multiply the point by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * Small implementation using add and double that is cache attack resistant but
 * allocates memory rather than use large stacks.
 * 384 adds and doubles.
 *
 * r     Resulting point.
 * g     Point to multiply.
 * k     Scalar to multiply by.
 * map   Indicates whether to convert result to affine.
 * ct    Constant time required.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_384_ecc_mulmod_7(sp_point_384* r, const sp_point_384* g,
        const sp_digit* k, int map, int ct, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_384* t = NULL;
    sp_digit* tmp = NULL;
#else
    sp_point_384 t[3];
    sp_digit tmp[2 * 7 * 6];
#endif
    sp_digit n;
    int i;
    int c;
    int y;
    int err = MP_OKAY;

    /* Implementation is constant time. */
    (void)ct;
    (void)heap;

#ifdef WOLFSSL_SP_SMALL_STACK
    t = (sp_point_384*)XMALLOC(sizeof(sp_point_384) * 3, heap,
                                     DYNAMIC_TYPE_ECC);
    if (t == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 7 * 6, heap,
                                 DYNAMIC_TYPE_ECC);
        if (tmp == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        XMEMSET(t, 0, sizeof(sp_point_384) * 3);

        /* t[0] = {0, 0, 1} * norm */
        t[0].infinity = 1;
        /* t[1] = {g->x, g->y, g->z} * norm */
        err = sp_384_mod_mul_norm_7(t[1].x, g->x, p384_mod);
    }
    if (err == MP_OKAY)
        err = sp_384_mod_mul_norm_7(t[1].y, g->y, p384_mod);
    if (err == MP_OKAY)
        err = sp_384_mod_mul_norm_7(t[1].z, g->z, p384_mod);

    if (err == MP_OKAY) {
        i = 6;
        c = 54;
        n = k[i--] << (55 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1)
                    break;

                n = k[i--];
                c = 55;
            }

            y = (n >> 54) & 1;
            n <<= 1;

            sp_384_proj_point_add_7(&t[y^1], &t[0], &t[1], tmp);

            XMEMCPY(&t[2], (void*)(((size_t)&t[0] & addr_mask[y^1]) +
                                   ((size_t)&t[1] & addr_mask[y])),
                    sizeof(sp_point_384));
            sp_384_proj_point_dbl_7(&t[2], &t[2], tmp);
            XMEMCPY((void*)(((size_t)&t[0] & addr_mask[y^1]) +
                            ((size_t)&t[1] & addr_mask[y])), &t[2],
                    sizeof(sp_point_384));
        }

        if (map != 0) {
            sp_384_map_7(r, &t[0], tmp);
        }
        else {
            XMEMCPY(r, &t[0], sizeof(sp_point_384));
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (tmp != NULL)
#endif
    {
        ForceZero(tmp, sizeof(sp_digit) * 2 * 7 * 6);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
    #endif
    }
#ifdef WOLFSSL_SP_SMALL_STACK
    if (t != NULL)
#endif
    {
        ForceZero(t, sizeof(sp_point_384) * 3);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(t, heap, DYNAMIC_TYPE_ECC);
    #endif
    }

    return err;
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_384_ecc_mulmod_7_ctx {
    int state;
    union {
        sp_384_proj_point_dbl_7_ctx dbl_ctx;
        sp_384_proj_point_add_7_ctx add_ctx;
    };
    sp_point_384 t[3];
    sp_digit tmp[2 * 7 * 6];
    sp_digit n;
    int i;
    int c;
    int y;
} sp_384_ecc_mulmod_7_ctx;

static int sp_384_ecc_mulmod_7_nb(sp_ecc_ctx_t* sp_ctx, sp_point_384* r,
    const sp_point_384* g, const sp_digit* k, int map, int ct, void* heap)
{
    int err = FP_WOULDBLOCK;
    sp_384_ecc_mulmod_7_ctx* ctx = (sp_384_ecc_mulmod_7_ctx*)sp_ctx->data;

    typedef char ctx_size_test[sizeof(sp_384_ecc_mulmod_7_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    /* Implementation is constant time. */
    (void)ct;

    switch (ctx->state) {
    case 0: /* INIT */
        XMEMSET(ctx->t, 0, sizeof(sp_point_384) * 3);
        ctx->i = 6;
        ctx->c = 54;
        ctx->n = k[ctx->i--] << (55 - ctx->c);

        /* t[0] = {0, 0, 1} * norm */
        ctx->t[0].infinity = 1;
        ctx->state = 1;
        break;
    case 1: /* T1X */
        /* t[1] = {g->x, g->y, g->z} * norm */
        err = sp_384_mod_mul_norm_7(ctx->t[1].x, g->x, p384_mod);
        ctx->state = 2;
        break;
    case 2: /* T1Y */
        err = sp_384_mod_mul_norm_7(ctx->t[1].y, g->y, p384_mod);
        ctx->state = 3;
        break;
    case 3: /* T1Z */
        err = sp_384_mod_mul_norm_7(ctx->t[1].z, g->z, p384_mod);
        ctx->state = 4;
        break;
    case 4: /* ADDPREP */
        if (ctx->c == 0) {
            if (ctx->i == -1) {
                ctx->state = 7;
                break;
            }

            ctx->n = k[ctx->i--];
            ctx->c = 55;
        }
        ctx->y = (ctx->n >> 54) & 1;
        ctx->n <<= 1;
        XMEMSET(&ctx->add_ctx, 0, sizeof(ctx->add_ctx));
        ctx->state = 5;
        break;
    case 5: /* ADD */
        err = sp_384_proj_point_add_7_nb((sp_ecc_ctx_t*)&ctx->add_ctx,
            &ctx->t[ctx->y^1], &ctx->t[0], &ctx->t[1], ctx->tmp);
        if (err == MP_OKAY) {
            XMEMCPY(&ctx->t[2], (void*)(((size_t)&ctx->t[0] & addr_mask[ctx->y^1]) +
                                        ((size_t)&ctx->t[1] & addr_mask[ctx->y])),
                    sizeof(sp_point_384));
            XMEMSET(&ctx->dbl_ctx, 0, sizeof(ctx->dbl_ctx));
            ctx->state = 6;
        }
        break;
    case 6: /* DBL */
        err = sp_384_proj_point_dbl_7_nb((sp_ecc_ctx_t*)&ctx->dbl_ctx, &ctx->t[2],
            &ctx->t[2], ctx->tmp);
        if (err == MP_OKAY) {
            XMEMCPY((void*)(((size_t)&ctx->t[0] & addr_mask[ctx->y^1]) +
                            ((size_t)&ctx->t[1] & addr_mask[ctx->y])), &ctx->t[2],
                    sizeof(sp_point_384));
            ctx->state = 4;
            ctx->c--;
        }
        break;
    case 7: /* MAP */
        if (map != 0) {
            sp_384_map_7(r, &ctx->t[0], ctx->tmp);
        }
        else {
            XMEMCPY(r, &ctx->t[0], sizeof(sp_point_384));
        }
        err = MP_OKAY;
        break;
    }

    if (err == MP_OKAY && ctx->state != 7) {
        err = FP_WOULDBLOCK;
    }
    if (err != FP_WOULDBLOCK) {
        ForceZero(ctx->tmp, sizeof(ctx->tmp));
        ForceZero(ctx->t, sizeof(ctx->t));
    }

    (void)heap;

    return err;
}

#endif /* WOLFSSL_SP_NONBLOCK */

#else
/* A table entry for pre-computed points. */
typedef struct sp_table_entry_384 {
    sp_digit x[7];
    sp_digit y[7];
} sp_table_entry_384;

/* Conditionally copy a into r using the mask m.
 * m is -1 to copy and 0 when not.
 *
 * r  A single precision number to copy over.
 * a  A single precision number to copy.
 * m  Mask value to apply.
 */
static void sp_384_cond_copy_7(sp_digit* r, const sp_digit* a, const sp_digit m)
{
    sp_digit t[7];
#ifdef WOLFSSL_SP_SMALL
    int i;

    for (i = 0; i < 7; i++) {
        t[i] = r[i] ^ a[i];
    }
    for (i = 0; i < 7; i++) {
        r[i] ^= t[i] & m;
    }
#else
    t[ 0] = r[ 0] ^ a[ 0];
    t[ 1] = r[ 1] ^ a[ 1];
    t[ 2] = r[ 2] ^ a[ 2];
    t[ 3] = r[ 3] ^ a[ 3];
    t[ 4] = r[ 4] ^ a[ 4];
    t[ 5] = r[ 5] ^ a[ 5];
    t[ 6] = r[ 6] ^ a[ 6];
    r[ 0] ^= t[ 0] & m;
    r[ 1] ^= t[ 1] & m;
    r[ 2] ^= t[ 2] & m;
    r[ 3] ^= t[ 3] & m;
    r[ 4] ^= t[ 4] & m;
    r[ 5] ^= t[ 5] & m;
    r[ 6] ^= t[ 6] & m;
#endif /* WOLFSSL_SP_SMALL */
}

/* Double the Montgomery form projective point p a number of times.
 *
 * r  Result of repeated doubling of point.
 * p  Point to double.
 * n  Number of times to double
 * t  Temporary ordinate data.
 */
static void sp_384_proj_point_dbl_n_7(sp_point_384* p, int i,
    sp_digit* t)
{
    sp_digit* w = t;
    sp_digit* a = t + 2*7;
    sp_digit* b = t + 4*7;
    sp_digit* t1 = t + 6*7;
    sp_digit* t2 = t + 8*7;
    sp_digit* x;
    sp_digit* y;
    sp_digit* z;
    volatile int n = i;

    x = p->x;
    y = p->y;
    z = p->z;

    /* Y = 2*Y */
    sp_384_mont_dbl_7(y, y, p384_mod);
    /* W = Z^4 */
    sp_384_mont_sqr_7(w, z, p384_mod, p384_mp_mod);
    sp_384_mont_sqr_7(w, w, p384_mod, p384_mp_mod);
#ifndef WOLFSSL_SP_SMALL
    while (--n > 0)
#else
    while (--n >= 0)
#endif
    {
        /* A = 3*(X^2 - W) */
        sp_384_mont_sqr_7(t1, x, p384_mod, p384_mp_mod);
        sp_384_mont_sub_7(t1, t1, w, p384_mod);
        sp_384_mont_tpl_7(a, t1, p384_mod);
        /* B = X*Y^2 */
        sp_384_mont_sqr_7(t1, y, p384_mod, p384_mp_mod);
        sp_384_mont_mul_7(b, t1, x, p384_mod, p384_mp_mod);
        /* X = A^2 - 2B */
        sp_384_mont_sqr_7(x, a, p384_mod, p384_mp_mod);
        sp_384_mont_dbl_7(t2, b, p384_mod);
        sp_384_mont_sub_7(x, x, t2, p384_mod);
        /* B = 2.(B - X) */
        sp_384_mont_sub_7(t2, b, x, p384_mod);
        sp_384_mont_dbl_7(b, t2, p384_mod);
        /* Z = Z*Y */
        sp_384_mont_mul_7(z, z, y, p384_mod, p384_mp_mod);
        /* t1 = Y^4 */
        sp_384_mont_sqr_7(t1, t1, p384_mod, p384_mp_mod);
#ifdef WOLFSSL_SP_SMALL
        if (n != 0)
#endif
        {
            /* W = W*Y^4 */
            sp_384_mont_mul_7(w, w, t1, p384_mod, p384_mp_mod);
        }
        /* y = 2*A*(B - X) - Y^4 */
        sp_384_mont_mul_7(y, b, a, p384_mod, p384_mp_mod);
        sp_384_mont_sub_7(y, y, t1, p384_mod);
    }
#ifndef WOLFSSL_SP_SMALL
    /* A = 3*(X^2 - W) */
    sp_384_mont_sqr_7(t1, x, p384_mod, p384_mp_mod);
    sp_384_mont_sub_7(t1, t1, w, p384_mod);
    sp_384_mont_tpl_7(a, t1, p384_mod);
    /* B = X*Y^2 */
    sp_384_mont_sqr_7(t1, y, p384_mod, p384_mp_mod);
    sp_384_mont_mul_7(b, t1, x, p384_mod, p384_mp_mod);
    /* X = A^2 - 2B */
    sp_384_mont_sqr_7(x, a, p384_mod, p384_mp_mod);
    sp_384_mont_dbl_7(t2, b, p384_mod);
    sp_384_mont_sub_7(x, x, t2, p384_mod);
    /* B = 2.(B - X) */
    sp_384_mont_sub_7(t2, b, x, p384_mod);
    sp_384_mont_dbl_7(b, t2, p384_mod);
    /* Z = Z*Y */
    sp_384_mont_mul_7(z, z, y, p384_mod, p384_mp_mod);
    /* t1 = Y^4 */
    sp_384_mont_sqr_7(t1, t1, p384_mod, p384_mp_mod);
    /* y = 2*A*(B - X) - Y^4 */
    sp_384_mont_mul_7(y, b, a, p384_mod, p384_mp_mod);
    sp_384_mont_sub_7(y, y, t1, p384_mod);
#endif /* WOLFSSL_SP_SMALL */
    /* Y = Y/2 */
    sp_384_mont_div2_7(y, y, p384_mod);
}

/* Double the Montgomery form projective point p a number of times.
 *
 * r  Result of repeated doubling of point.
 * p  Point to double.
 * n  Number of times to double
 * t  Temporary ordinate data.
 */
static void sp_384_proj_point_dbl_n_store_7(sp_point_384* r,
        const sp_point_384* p, int n, int m, sp_digit* t)
{
    sp_digit* w = t;
    sp_digit* a = t + 2*7;
    sp_digit* b = t + 4*7;
    sp_digit* t1 = t + 6*7;
    sp_digit* t2 = t + 8*7;
    sp_digit* x = r[2*m].x;
    sp_digit* y = r[(1<<n)*m].y;
    sp_digit* z = r[2*m].z;
    int i;
    int j;

    for (i=0; i<7; i++) {
        x[i] = p->x[i];
    }
    for (i=0; i<7; i++) {
        y[i] = p->y[i];
    }
    for (i=0; i<7; i++) {
        z[i] = p->z[i];
    }

    /* Y = 2*Y */
    sp_384_mont_dbl_7(y, y, p384_mod);
    /* W = Z^4 */
    sp_384_mont_sqr_7(w, z, p384_mod, p384_mp_mod);
    sp_384_mont_sqr_7(w, w, p384_mod, p384_mp_mod);
    j = m;
    for (i=1; i<=n; i++) {
        j *= 2;

        /* A = 3*(X^2 - W) */
        sp_384_mont_sqr_7(t1, x, p384_mod, p384_mp_mod);
        sp_384_mont_sub_7(t1, t1, w, p384_mod);
        sp_384_mont_tpl_7(a, t1, p384_mod);
        /* B = X*Y^2 */
        sp_384_mont_sqr_7(t1, y, p384_mod, p384_mp_mod);
        sp_384_mont_mul_7(b, t1, x, p384_mod, p384_mp_mod);
        x = r[j].x;
        /* X = A^2 - 2B */
        sp_384_mont_sqr_7(x, a, p384_mod, p384_mp_mod);
        sp_384_mont_dbl_7(t2, b, p384_mod);
        sp_384_mont_sub_7(x, x, t2, p384_mod);
        /* B = 2.(B - X) */
        sp_384_mont_sub_7(t2, b, x, p384_mod);
        sp_384_mont_dbl_7(b, t2, p384_mod);
        /* Z = Z*Y */
        sp_384_mont_mul_7(r[j].z, z, y, p384_mod, p384_mp_mod);
        z = r[j].z;
        /* t1 = Y^4 */
        sp_384_mont_sqr_7(t1, t1, p384_mod, p384_mp_mod);
        if (i != n) {
            /* W = W*Y^4 */
            sp_384_mont_mul_7(w, w, t1, p384_mod, p384_mp_mod);
        }
        /* y = 2*A*(B - X) - Y^4 */
        sp_384_mont_mul_7(y, b, a, p384_mod, p384_mp_mod);
        sp_384_mont_sub_7(y, y, t1, p384_mod);
        /* Y = Y/2 */
        sp_384_mont_div2_7(r[j].y, y, p384_mod);
        r[j].infinity = 0;
    }
}

/* Add two Montgomery form projective points.
 *
 * ra  Result of addition.
 * rs  Result of subtraction.
 * p   First point to add.
 * q   Second point to add.
 * t   Temporary ordinate data.
 */
static void sp_384_proj_point_add_sub_7(sp_point_384* ra,
        sp_point_384* rs, const sp_point_384* p, const sp_point_384* q,
        sp_digit* t)
{
    sp_digit* t1 = t;
    sp_digit* t2 = t + 2*7;
    sp_digit* t3 = t + 4*7;
    sp_digit* t4 = t + 6*7;
    sp_digit* t5 = t + 8*7;
    sp_digit* t6 = t + 10*7;
    sp_digit* xa = ra->x;
    sp_digit* ya = ra->y;
    sp_digit* za = ra->z;
    sp_digit* xs = rs->x;
    sp_digit* ys = rs->y;
    sp_digit* zs = rs->z;


    XMEMCPY(xa, p->x, sizeof(p->x) / 2);
    XMEMCPY(ya, p->y, sizeof(p->y) / 2);
    XMEMCPY(za, p->z, sizeof(p->z) / 2);
    ra->infinity = 0;
    rs->infinity = 0;

    /* U1 = X1*Z2^2 */
    sp_384_mont_sqr_7(t1, q->z, p384_mod, p384_mp_mod);
    sp_384_mont_mul_7(t3, t1, q->z, p384_mod, p384_mp_mod);
    sp_384_mont_mul_7(t1, t1, xa, p384_mod, p384_mp_mod);
    /* U2 = X2*Z1^2 */
    sp_384_mont_sqr_7(t2, za, p384_mod, p384_mp_mod);
    sp_384_mont_mul_7(t4, t2, za, p384_mod, p384_mp_mod);
    sp_384_mont_mul_7(t2, t2, q->x, p384_mod, p384_mp_mod);
    /* S1 = Y1*Z2^3 */
    sp_384_mont_mul_7(t3, t3, ya, p384_mod, p384_mp_mod);
    /* S2 = Y2*Z1^3 */
    sp_384_mont_mul_7(t4, t4, q->y, p384_mod, p384_mp_mod);
    /* H = U2 - U1 */
    sp_384_mont_sub_7(t2, t2, t1, p384_mod);
    /* RS = S2 + S1 */
    sp_384_mont_add_7(t6, t4, t3, p384_mod);
    /* R = S2 - S1 */
    sp_384_mont_sub_7(t4, t4, t3, p384_mod);
    /* Z3 = H*Z1*Z2 */
    /* ZS = H*Z1*Z2 */
    sp_384_mont_mul_7(za, za, q->z, p384_mod, p384_mp_mod);
    sp_384_mont_mul_7(za, za, t2, p384_mod, p384_mp_mod);
    XMEMCPY(zs, za, sizeof(p->z)/2);
    /* X3 = R^2 - H^3 - 2*U1*H^2 */
    /* XS = RS^2 - H^3 - 2*U1*H^2 */
    sp_384_mont_sqr_7(xa, t4, p384_mod, p384_mp_mod);
    sp_384_mont_sqr_7(xs, t6, p384_mod, p384_mp_mod);
    sp_384_mont_sqr_7(t5, t2, p384_mod, p384_mp_mod);
    sp_384_mont_mul_7(ya, t1, t5, p384_mod, p384_mp_mod);
    sp_384_mont_mul_7(t5, t5, t2, p384_mod, p384_mp_mod);
    sp_384_mont_sub_7(xa, xa, t5, p384_mod);
    sp_384_mont_sub_7(xs, xs, t5, p384_mod);
    sp_384_mont_dbl_7(t1, ya, p384_mod);
    sp_384_mont_sub_7(xa, xa, t1, p384_mod);
    sp_384_mont_sub_7(xs, xs, t1, p384_mod);
    /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
    /* YS = -RS*(U1*H^2 - XS) - S1*H^3 */
    sp_384_mont_sub_7(ys, ya, xs, p384_mod);
    sp_384_mont_sub_7(ya, ya, xa, p384_mod);
    sp_384_mont_mul_7(ya, ya, t4, p384_mod, p384_mp_mod);
    sp_384_sub_7(t6, p384_mod, t6);
    sp_384_mont_mul_7(ys, ys, t6, p384_mod, p384_mp_mod);
    sp_384_mont_mul_7(t5, t5, t3, p384_mod, p384_mp_mod);
    sp_384_mont_sub_7(ya, ya, t5, p384_mod);
    sp_384_mont_sub_7(ys, ys, t5, p384_mod);
}

/* Structure used to describe recoding of scalar multiplication. */
typedef struct ecc_recode_384 {
    /* Index into pre-computation table. */
    uint8_t i;
    /* Use the negative of the point. */
    uint8_t neg;
} ecc_recode_384;

/* The index into pre-computation table to use. */
static const uint8_t recode_index_7_6[66] = {
     0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15,
    16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
    32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17,
    16, 15, 14, 13, 12, 11, 10,  9,  8,  7,  6,  5,  4,  3,  2,  1,
     0,  1,
};

/* Whether to negate y-ordinate. */
static const uint8_t recode_neg_7_6[66] = {
     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
     0,  0,
};

/* Recode the scalar for multiplication using pre-computed values and
 * subtraction.
 *
 * k  Scalar to multiply by.
 * v  Vector of operations to perform.
 */
static void sp_384_ecc_recode_6_7(const sp_digit* k, ecc_recode_384* v)
{
    int i;
    int j;
    uint8_t y;
    int carry = 0;
    int o;
    sp_digit n;

    j = 0;
    n = k[j];
    o = 0;
    for (i=0; i<65; i++) {
        y = (int8_t)n;
        if (o + 6 < 55) {
            y &= 0x3f;
            n >>= 6;
            o += 6;
        }
        else if (o + 6 == 55) {
            n >>= 6;
            if (++j < 7)
                n = k[j];
            o = 0;
        }
        else if (++j < 7) {
            n = k[j];
            y |= (uint8_t)((n << (55 - o)) & 0x3f);
            o -= 49;
            n >>= o;
        }

        y += (uint8_t)carry;
        v[i].i = recode_index_7_6[y];
        v[i].neg = recode_neg_7_6[y];
        carry = (y >> 6) + v[i].neg;
    }
}

#ifndef WC_NO_CACHE_RESISTANT
/* Touch each possible point that could be being copied.
 *
 * r      Point to copy into.
 * table  Table - start of the entries to access
 * idx    Index of entry to retrieve.
 */
static void sp_384_get_point_33_7(sp_point_384* r, const sp_point_384* table,
    int idx)
{
    int i;
    sp_digit mask;

    r->x[0] = 0;
    r->x[1] = 0;
    r->x[2] = 0;
    r->x[3] = 0;
    r->x[4] = 0;
    r->x[5] = 0;
    r->x[6] = 0;
    r->y[0] = 0;
    r->y[1] = 0;
    r->y[2] = 0;
    r->y[3] = 0;
    r->y[4] = 0;
    r->y[5] = 0;
    r->y[6] = 0;
    r->z[0] = 0;
    r->z[1] = 0;
    r->z[2] = 0;
    r->z[3] = 0;
    r->z[4] = 0;
    r->z[5] = 0;
    r->z[6] = 0;
    for (i = 1; i < 33; i++) {
        mask = 0 - (i == idx);
        r->x[0] |= mask & table[i].x[0];
        r->x[1] |= mask & table[i].x[1];
        r->x[2] |= mask & table[i].x[2];
        r->x[3] |= mask & table[i].x[3];
        r->x[4] |= mask & table[i].x[4];
        r->x[5] |= mask & table[i].x[5];
        r->x[6] |= mask & table[i].x[6];
        r->y[0] |= mask & table[i].y[0];
        r->y[1] |= mask & table[i].y[1];
        r->y[2] |= mask & table[i].y[2];
        r->y[3] |= mask & table[i].y[3];
        r->y[4] |= mask & table[i].y[4];
        r->y[5] |= mask & table[i].y[5];
        r->y[6] |= mask & table[i].y[6];
        r->z[0] |= mask & table[i].z[0];
        r->z[1] |= mask & table[i].z[1];
        r->z[2] |= mask & table[i].z[2];
        r->z[3] |= mask & table[i].z[3];
        r->z[4] |= mask & table[i].z[4];
        r->z[5] |= mask & table[i].z[5];
        r->z[6] |= mask & table[i].z[6];
    }
}
#endif /* !WC_NO_CACHE_RESISTANT */
/* Multiply the point by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * Window technique of 6 bits. (Add-Sub variation.)
 * Calculate 0..32 times the point. Use function that adds and
 * subtracts the same two points.
 * Recode to add or subtract one of the computed points.
 * Double to push up.
 * NOT a sliding window.
 *
 * r     Resulting point.
 * g     Point to multiply.
 * k     Scalar to multiply by.
 * map   Indicates whether to convert result to affine.
 * ct    Constant time required.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_384_ecc_mulmod_win_add_sub_7(sp_point_384* r, const sp_point_384* g,
        const sp_digit* k, int map, int ct, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_384* t = NULL;
    sp_digit* tmp = NULL;
#else
    sp_point_384 t[33+2];
    sp_digit tmp[2 * 7 * 6];
#endif
    sp_point_384* rt = NULL;
    sp_point_384* p = NULL;
    sp_digit* negy;
    int i;
    ecc_recode_384 v[65];
    int err = MP_OKAY;

    /* Constant time used for cache attack resistance implementation. */
    (void)ct;
    (void)heap;

#ifdef WOLFSSL_SP_SMALL_STACK
    t = (sp_point_384*)XMALLOC(sizeof(sp_point_384) *
        (33+2), heap, DYNAMIC_TYPE_ECC);
    if (t == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 7 * 6,
                                 heap, DYNAMIC_TYPE_ECC);
        if (tmp == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        rt = t + 33;
        p  = t + 33+1;

        /* t[0] = {0, 0, 1} * norm */
        XMEMSET(&t[0], 0, sizeof(t[0]));
        t[0].infinity = 1;
        /* t[1] = {g->x, g->y, g->z} * norm */
        err = sp_384_mod_mul_norm_7(t[1].x, g->x, p384_mod);
    }
    if (err == MP_OKAY) {
        err = sp_384_mod_mul_norm_7(t[1].y, g->y, p384_mod);
    }
    if (err == MP_OKAY) {
        err = sp_384_mod_mul_norm_7(t[1].z, g->z, p384_mod);
    }

    if (err == MP_OKAY) {
        t[1].infinity = 0;
        /* t[2] ... t[32]  */
        sp_384_proj_point_dbl_n_store_7(t, &t[ 1], 5, 1, tmp);
        sp_384_proj_point_add_7(&t[ 3], &t[ 2], &t[ 1], tmp);
        sp_384_proj_point_dbl_7(&t[ 6], &t[ 3], tmp);
        sp_384_proj_point_add_sub_7(&t[ 7], &t[ 5], &t[ 6], &t[ 1], tmp);
        sp_384_proj_point_dbl_7(&t[10], &t[ 5], tmp);
        sp_384_proj_point_add_sub_7(&t[11], &t[ 9], &t[10], &t[ 1], tmp);
        sp_384_proj_point_dbl_7(&t[12], &t[ 6], tmp);
        sp_384_proj_point_dbl_7(&t[14], &t[ 7], tmp);
        sp_384_proj_point_add_sub_7(&t[15], &t[13], &t[14], &t[ 1], tmp);
        sp_384_proj_point_dbl_7(&t[18], &t[ 9], tmp);
        sp_384_proj_point_add_sub_7(&t[19], &t[17], &t[18], &t[ 1], tmp);
        sp_384_proj_point_dbl_7(&t[20], &t[10], tmp);
        sp_384_proj_point_dbl_7(&t[22], &t[11], tmp);
        sp_384_proj_point_add_sub_7(&t[23], &t[21], &t[22], &t[ 1], tmp);
        sp_384_proj_point_dbl_7(&t[24], &t[12], tmp);
        sp_384_proj_point_dbl_7(&t[26], &t[13], tmp);
        sp_384_proj_point_add_sub_7(&t[27], &t[25], &t[26], &t[ 1], tmp);
        sp_384_proj_point_dbl_7(&t[28], &t[14], tmp);
        sp_384_proj_point_dbl_7(&t[30], &t[15], tmp);
        sp_384_proj_point_add_sub_7(&t[31], &t[29], &t[30], &t[ 1], tmp);

        negy = t[0].y;

        sp_384_ecc_recode_6_7(k, v);

        i = 64;
    #ifndef WC_NO_CACHE_RESISTANT
        if (ct) {
            sp_384_get_point_33_7(rt, t, v[i].i);
            rt->infinity = !v[i].i;
        }
        else
    #endif
        {
            XMEMCPY(rt, &t[v[i].i], sizeof(sp_point_384));
        }
        for (--i; i>=0; i--) {
            sp_384_proj_point_dbl_n_7(rt, 6, tmp);

        #ifndef WC_NO_CACHE_RESISTANT
            if (ct) {
                sp_384_get_point_33_7(p, t, v[i].i);
                p->infinity = !v[i].i;
            }
            else
        #endif
            {
                XMEMCPY(p, &t[v[i].i], sizeof(sp_point_384));
            }
            sp_384_sub_7(negy, p384_mod, p->y);
            sp_384_norm_7(negy);
            sp_384_cond_copy_7(p->y, negy, (sp_digit)0 - v[i].neg);
            sp_384_proj_point_add_7(rt, rt, p, tmp);
        }

        if (map != 0) {
            sp_384_map_7(r, rt, tmp);
        }
        else {
            XMEMCPY(r, rt, sizeof(sp_point_384));
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t != NULL)
        XFREE(t, heap, DYNAMIC_TYPE_ECC);
    if (tmp != NULL)
        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#ifdef FP_ECC
#endif /* FP_ECC */
/* Add two Montgomery form projective points. The second point has a q value of
 * one.
 * Only the first point can be the same pointer as the result point.
 *
 * r  Result of addition.
 * p  First point to add.
 * q  Second point to add.
 * t  Temporary ordinate data.
 */
static void sp_384_proj_point_add_qz1_7(sp_point_384* r,
    const sp_point_384* p, const sp_point_384* q, sp_digit* t)
{
    sp_digit* t2 = t;
    sp_digit* t3 = t + 2*7;
    sp_digit* t6 = t + 4*7;
    sp_digit* t1 = t + 6*7;
    sp_digit* t4 = t + 8*7;
    sp_digit* t5 = t + 10*7;

    /* Calculate values to subtract from P->x and P->y. */
    /* U2 = X2*Z1^2 */
    sp_384_mont_sqr_7(t2, p->z, p384_mod, p384_mp_mod);
    sp_384_mont_mul_7(t4, t2, p->z, p384_mod, p384_mp_mod);
    sp_384_mont_mul_7(t2, t2, q->x, p384_mod, p384_mp_mod);
    /* S2 = Y2*Z1^3 */
    sp_384_mont_mul_7(t4, t4, q->y, p384_mod, p384_mp_mod);

    if ((~p->infinity) & (~q->infinity) &
            sp_384_cmp_equal_7(p->x, t2) &
            sp_384_cmp_equal_7(p->y, t4)) {
        sp_384_proj_point_dbl_7(r, p, t);
    }
    else {
        sp_digit* x = t2;
        sp_digit* y = t3;
        sp_digit* z = t6;

        /* H = U2 - X1 */
        sp_384_mont_sub_7(t2, t2, p->x, p384_mod);
        /* R = S2 - Y1 */
        sp_384_mont_sub_7(t4, t4, p->y, p384_mod);
        /* Z3 = H*Z1 */
        sp_384_mont_mul_7(z, p->z, t2, p384_mod, p384_mp_mod);
        /* X3 = R^2 - H^3 - 2*X1*H^2 */
        sp_384_mont_sqr_7(t1, t2, p384_mod, p384_mp_mod);
        sp_384_mont_mul_7(t3, p->x, t1, p384_mod, p384_mp_mod);
        sp_384_mont_mul_7(t1, t1, t2, p384_mod, p384_mp_mod);
        sp_384_mont_sqr_7(t2, t4, p384_mod, p384_mp_mod);
        sp_384_mont_sub_7(t2, t2, t1, p384_mod);
        sp_384_mont_dbl_7(t5, t3, p384_mod);
        sp_384_mont_sub_7(x, t2, t5, p384_mod);
        /* Y3 = R*(X1*H^2 - X3) - Y1*H^3 */
        sp_384_mont_sub_7(t3, t3, x, p384_mod);
        sp_384_mont_mul_7(t3, t3, t4, p384_mod, p384_mp_mod);
        sp_384_mont_mul_7(t1, t1, p->y, p384_mod, p384_mp_mod);
        sp_384_mont_sub_7(y, t3, t1, p384_mod);
        {
            int i;
            sp_digit maskp = 0 - (q->infinity & (!p->infinity));
            sp_digit maskq = 0 - (p->infinity & (!q->infinity));
            sp_digit maskt = ~(maskp | maskq);
            sp_digit inf = (sp_digit)(p->infinity & q->infinity);

            for (i = 0; i < 7; i++) {
                r->x[i] = (p->x[i] & maskp) | (q->x[i] & maskq) |
                          (x[i] & maskt);
            }
            for (i = 0; i < 7; i++) {
                r->y[i] = (p->y[i] & maskp) | (q->y[i] & maskq) |
                          (y[i] & maskt);
            }
            for (i = 0; i < 7; i++) {
                r->z[i] = (p->z[i] & maskp) | (q->z[i] & maskq) |
                          (z[i] & maskt);
            }
            r->z[0] |= inf;
            r->infinity = (word32)inf;
        }
    }
}

#ifdef FP_ECC
/* Convert the projective point to affine.
 * Ordinates are in Montgomery form.
 *
 * a  Point to convert.
 * t  Temporary data.
 */
static void sp_384_proj_to_affine_7(sp_point_384* a, sp_digit* t)
{
    sp_digit* t1 = t;
    sp_digit* t2 = t + 2 * 7;
    sp_digit* tmp = t + 4 * 7;

    sp_384_mont_inv_7(t1, a->z, tmp);

    sp_384_mont_sqr_7(t2, t1, p384_mod, p384_mp_mod);
    sp_384_mont_mul_7(t1, t2, t1, p384_mod, p384_mp_mod);

    sp_384_mont_mul_7(a->x, a->x, t2, p384_mod, p384_mp_mod);
    sp_384_mont_mul_7(a->y, a->y, t1, p384_mod, p384_mp_mod);
    XMEMCPY(a->z, p384_norm_mod, sizeof(p384_norm_mod));
}

/* Generate the pre-computed table of points for the base point.
 *
 * width = 8
 * 256 entries
 * 48 bits between
 *
 * a      The base point.
 * table  Place to store generated point data.
 * tmp    Temporary data.
 * heap  Heap to use for allocation.
 */
static int sp_384_gen_stripe_table_7(const sp_point_384* a,
        sp_table_entry_384* table, sp_digit* tmp, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_384* t = NULL;
#else
    sp_point_384 t[3];
#endif
    sp_point_384* s1 = NULL;
    sp_point_384* s2 = NULL;
    int i;
    int j;
    int err = MP_OKAY;

    (void)heap;

#ifdef WOLFSSL_SP_SMALL_STACK
    t = (sp_point_384*)XMALLOC(sizeof(sp_point_384) * 3, heap,
                                     DYNAMIC_TYPE_ECC);
    if (t == NULL)
        err = MEMORY_E;
#endif

    if (err == MP_OKAY) {
        s1 = t + 1;
        s2 = t + 2;

        err = sp_384_mod_mul_norm_7(t->x, a->x, p384_mod);
    }
    if (err == MP_OKAY) {
        err = sp_384_mod_mul_norm_7(t->y, a->y, p384_mod);
    }
    if (err == MP_OKAY) {
        err = sp_384_mod_mul_norm_7(t->z, a->z, p384_mod);
    }
    if (err == MP_OKAY) {
        t->infinity = 0;
        sp_384_proj_to_affine_7(t, tmp);

        XMEMCPY(s1->z, p384_norm_mod, sizeof(p384_norm_mod));
        s1->infinity = 0;
        XMEMCPY(s2->z, p384_norm_mod, sizeof(p384_norm_mod));
        s2->infinity = 0;

        /* table[0] = {0, 0, infinity} */
        XMEMSET(&table[0], 0, sizeof(sp_table_entry_384));
        /* table[1] = Affine version of 'a' in Montgomery form */
        XMEMCPY(table[1].x, t->x, sizeof(table->x));
        XMEMCPY(table[1].y, t->y, sizeof(table->y));

        for (i=1; i<8; i++) {
            sp_384_proj_point_dbl_n_7(t, 48, tmp);
            sp_384_proj_to_affine_7(t, tmp);
            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
        }

        for (i=1; i<8; i++) {
            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
                sp_384_proj_point_add_qz1_7(t, s1, s2, tmp);
                sp_384_proj_to_affine_7(t, tmp);
                XMEMCPY(table[j].x, t->x, sizeof(table->x));
                XMEMCPY(table[j].y, t->y, sizeof(table->y));
            }
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t != NULL)
        XFREE(t, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#endif /* FP_ECC */
#ifndef WC_NO_CACHE_RESISTANT
/* Touch each possible entry that could be being copied.
 *
 * r      Point to copy into.
 * table  Table - start of the entries to access
 * idx    Index of entry to retrieve.
 */
static void sp_384_get_entry_256_7(sp_point_384* r,
    const sp_table_entry_384* table, int idx)
{
    int i;
    sp_digit mask;

    r->x[0] = 0;
    r->x[1] = 0;
    r->x[2] = 0;
    r->x[3] = 0;
    r->x[4] = 0;
    r->x[5] = 0;
    r->x[6] = 0;
    r->y[0] = 0;
    r->y[1] = 0;
    r->y[2] = 0;
    r->y[3] = 0;
    r->y[4] = 0;
    r->y[5] = 0;
    r->y[6] = 0;
    for (i = 1; i < 256; i++) {
        mask = 0 - (i == idx);
        r->x[0] |= mask & table[i].x[0];
        r->x[1] |= mask & table[i].x[1];
        r->x[2] |= mask & table[i].x[2];
        r->x[3] |= mask & table[i].x[3];
        r->x[4] |= mask & table[i].x[4];
        r->x[5] |= mask & table[i].x[5];
        r->x[6] |= mask & table[i].x[6];
        r->y[0] |= mask & table[i].y[0];
        r->y[1] |= mask & table[i].y[1];
        r->y[2] |= mask & table[i].y[2];
        r->y[3] |= mask & table[i].y[3];
        r->y[4] |= mask & table[i].y[4];
        r->y[5] |= mask & table[i].y[5];
        r->y[6] |= mask & table[i].y[6];
    }
}
#endif /* !WC_NO_CACHE_RESISTANT */
/* Multiply the point by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * Stripe implementation.
 * Pre-generated: 2^0, 2^48, ...
 * Pre-generated: products of all combinations of above.
 * 8 doubles and adds (with qz=1)
 *
 * r      Resulting point.
 * k      Scalar to multiply by.
 * table  Pre-computed table.
 * map    Indicates whether to convert result to affine.
 * ct     Constant time required.
 * heap   Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_384_ecc_mulmod_stripe_7(sp_point_384* r, const sp_point_384* g,
        const sp_table_entry_384* table, const sp_digit* k, int map,
        int ct, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_384* rt = NULL;
    sp_digit* t = NULL;
#else
    sp_point_384 rt[2];
    sp_digit t[2 * 7 * 6];
#endif
    sp_point_384* p = NULL;
    int i;
    int j;
    int y;
    int x;
    int err = MP_OKAY;

    (void)g;
    /* Constant time used for cache attack resistance implementation. */
    (void)ct;
    (void)heap;


#ifdef WOLFSSL_SP_SMALL_STACK
    rt = (sp_point_384*)XMALLOC(sizeof(sp_point_384) * 2, heap,
                                      DYNAMIC_TYPE_ECC);
    if (rt == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 7 * 6, heap,
                               DYNAMIC_TYPE_ECC);
        if (t == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        p = rt + 1;

        XMEMCPY(p->z, p384_norm_mod, sizeof(p384_norm_mod));
        XMEMCPY(rt->z, p384_norm_mod, sizeof(p384_norm_mod));

        y = 0;
        x = 47;
        for (j=0; j<8; j++) {
            y |= (int)(((k[x / 55] >> (x % 55)) & 1) << j);
            x += 48;
        }
    #ifndef WC_NO_CACHE_RESISTANT
        if (ct) {
            sp_384_get_entry_256_7(rt, table, y);
        } else
    #endif
        {
            XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
            XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
        }
        rt->infinity = !y;
        for (i=46; i>=0; i--) {
            y = 0;
            x = i;
            for (j=0; j<8; j++) {
                y |= (int)(((k[x / 55] >> (x % 55)) & 1) << j);
                x += 48;
            }

            sp_384_proj_point_dbl_7(rt, rt, t);
        #ifndef WC_NO_CACHE_RESISTANT
            if (ct) {
                sp_384_get_entry_256_7(p, table, y);
            }
            else
        #endif
            {
                XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
                XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
            }
            p->infinity = !y;
            sp_384_proj_point_add_qz1_7(rt, rt, p, t);
        }

        if (map != 0) {
            sp_384_map_7(r, rt, t);
        }
        else {
            XMEMCPY(r, rt, sizeof(sp_point_384));
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t != NULL)
        XFREE(t, heap, DYNAMIC_TYPE_ECC);
    if (rt != NULL)
        XFREE(rt, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#ifdef FP_ECC
#ifndef FP_ENTRIES
    #define FP_ENTRIES 16
#endif

/* Cache entry - holds precomputation tables for a point. */
typedef struct sp_cache_384_t {
    /* X ordinate of point that table was generated from. */
    sp_digit x[7];
    /* Y ordinate of point that table was generated from. */
    sp_digit y[7];
    /* Precomputation table for point. */
    sp_table_entry_384 table[256];
    /* Count of entries in table. */
    uint32_t cnt;
    /* Point and table set in entry. */
    int set;
} sp_cache_384_t;

/* Cache of tables. */
static THREAD_LS_T sp_cache_384_t sp_cache_384[FP_ENTRIES];
/* Index of last entry in cache. */
static THREAD_LS_T int sp_cache_384_last = -1;
/* Cache has been initialized. */
static THREAD_LS_T int sp_cache_384_inited = 0;

#ifndef HAVE_THREAD_LS
    static volatile int initCacheMutex_384 = 0;
    static wolfSSL_Mutex sp_cache_384_lock;
#endif

/* Get the cache entry for the point.
 *
 * g      [in]   Point scalar multiplying.
 * cache  [out]  Cache table to use.
 */
static void sp_ecc_get_cache_384(const sp_point_384* g, sp_cache_384_t** cache)
{
    int i;
    int j;
    uint32_t least;

    if (sp_cache_384_inited == 0) {
        for (i=0; i<FP_ENTRIES; i++) {
            sp_cache_384[i].set = 0;
        }
        sp_cache_384_inited = 1;
    }

    /* Compare point with those in cache. */
    for (i=0; i<FP_ENTRIES; i++) {
        if (!sp_cache_384[i].set)
            continue;

        if (sp_384_cmp_equal_7(g->x, sp_cache_384[i].x) &
                           sp_384_cmp_equal_7(g->y, sp_cache_384[i].y)) {
            sp_cache_384[i].cnt++;
            break;
        }
    }

    /* No match. */
    if (i == FP_ENTRIES) {
        /* Find empty entry. */
        i = (sp_cache_384_last + 1) % FP_ENTRIES;
        for (; i != sp_cache_384_last; i=(i+1)%FP_ENTRIES) {
            if (!sp_cache_384[i].set) {
                break;
            }
        }

        /* Evict least used. */
        if (i == sp_cache_384_last) {
            least = sp_cache_384[0].cnt;
            for (j=1; j<FP_ENTRIES; j++) {
                if (sp_cache_384[j].cnt < least) {
                    i = j;
                    least = sp_cache_384[i].cnt;
                }
            }
        }

        XMEMCPY(sp_cache_384[i].x, g->x, sizeof(sp_cache_384[i].x));
        XMEMCPY(sp_cache_384[i].y, g->y, sizeof(sp_cache_384[i].y));
        sp_cache_384[i].set = 1;
        sp_cache_384[i].cnt = 1;
    }

    *cache = &sp_cache_384[i];
    sp_cache_384_last = i;
}
#endif /* FP_ECC */

/* Multiply the base point of P384 by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * r     Resulting point.
 * g     Point to multiply.
 * k     Scalar to multiply by.
 * map   Indicates whether to convert result to affine.
 * ct    Constant time required.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_384_ecc_mulmod_7(sp_point_384* r, const sp_point_384* g,
        const sp_digit* k, int map, int ct, void* heap)
{
#ifndef FP_ECC
    return sp_384_ecc_mulmod_win_add_sub_7(r, g, k, map, ct, heap);
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* tmp;
#else
    sp_digit tmp[2 * 7 * 7];
#endif
    sp_cache_384_t* cache;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 7 * 7, heap, DYNAMIC_TYPE_ECC);
    if (tmp == NULL) {
        err = MEMORY_E;
    }
#endif
#ifndef HAVE_THREAD_LS
    if (err == MP_OKAY) {
        if (initCacheMutex_384 == 0) {
            wc_InitMutex(&sp_cache_384_lock);
            initCacheMutex_384 = 1;
        }
        if (wc_LockMutex(&sp_cache_384_lock) != 0) {
            err = BAD_MUTEX_E;
        }
    }
#endif /* HAVE_THREAD_LS */

    if (err == MP_OKAY) {
        sp_ecc_get_cache_384(g, &cache);
        if (cache->cnt == 2)
            sp_384_gen_stripe_table_7(g, cache->table, tmp, heap);

#ifndef HAVE_THREAD_LS
        wc_UnLockMutex(&sp_cache_384_lock);
#endif /* HAVE_THREAD_LS */

        if (cache->cnt < 2) {
            err = sp_384_ecc_mulmod_win_add_sub_7(r, g, k, map, ct, heap);
        }
        else {
            err = sp_384_ecc_mulmod_stripe_7(r, g, cache->table, k,
                    map, ct, heap);
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
#endif
    return err;
#endif
}

#endif
/* Multiply the point by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * km    Scalar to multiply by.
 * p     Point to multiply.
 * r     Resulting point.
 * map   Indicates whether to convert result to affine.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_mulmod_384(const mp_int* km, const ecc_point* gm, ecc_point* r,
        int map, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_384* point = NULL;
    sp_digit* k = NULL;
#else
    sp_point_384 point[1];
    sp_digit k[7];
#endif
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    point = (sp_point_384*)XMALLOC(sizeof(sp_point_384), heap,
                                         DYNAMIC_TYPE_ECC);
    if (point == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7, heap,
                               DYNAMIC_TYPE_ECC);
        if (k == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        sp_384_from_mp(k, 7, km);
        sp_384_point_from_ecc_point_7(point, gm);

            err = sp_384_ecc_mulmod_7(point, point, k, map, 1, heap);
    }
    if (err == MP_OKAY) {
        err = sp_384_point_to_ecc_point_7(point, r);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (k != NULL)
        XFREE(k, heap, DYNAMIC_TYPE_ECC);
    if (point != NULL)
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

/* Multiply the point by the scalar, add point a and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * km      Scalar to multiply by.
 * p       Point to multiply.
 * am      Point to add to scalar multiply result.
 * inMont  Point to add is in montgomery form.
 * r       Resulting point.
 * map     Indicates whether to convert result to affine.
 * heap    Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_mulmod_add_384(const mp_int* km, const ecc_point* gm,
    const ecc_point* am, int inMont, ecc_point* r, int map, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_384* point = NULL;
    sp_digit* k = NULL;
#else
    sp_point_384 point[2];
    sp_digit k[7 + 7 * 2 * 6];
#endif
    sp_point_384* addP = NULL;
    sp_digit* tmp = NULL;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    point = (sp_point_384*)XMALLOC(sizeof(sp_point_384) * 2, heap,
                                         DYNAMIC_TYPE_ECC);
    if (point == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        k = (sp_digit*)XMALLOC(
            sizeof(sp_digit) * (7 + 7 * 2 * 6), heap,
            DYNAMIC_TYPE_ECC);
        if (k == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        addP = point + 1;
        tmp = k + 7;

        sp_384_from_mp(k, 7, km);
        sp_384_point_from_ecc_point_7(point, gm);
        sp_384_point_from_ecc_point_7(addP, am);
    }
    if ((err == MP_OKAY) && (!inMont)) {
        err = sp_384_mod_mul_norm_7(addP->x, addP->x, p384_mod);
    }
    if ((err == MP_OKAY) && (!inMont)) {
        err = sp_384_mod_mul_norm_7(addP->y, addP->y, p384_mod);
    }
    if ((err == MP_OKAY) && (!inMont)) {
        err = sp_384_mod_mul_norm_7(addP->z, addP->z, p384_mod);
    }
    if (err == MP_OKAY) {
            err = sp_384_ecc_mulmod_7(point, point, k, 0, 0, heap);
    }
    if (err == MP_OKAY) {
            sp_384_proj_point_add_7(point, point, addP, tmp);

        if (map) {
                sp_384_map_7(point, point, tmp);
        }

        err = sp_384_point_to_ecc_point_7(point, r);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (k != NULL)
        XFREE(k, heap, DYNAMIC_TYPE_ECC);
    if (point != NULL)
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#ifdef WOLFSSL_SP_SMALL
/* Multiply the base point of P384 by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * r     Resulting point.
 * k     Scalar to multiply by.
 * map   Indicates whether to convert result to affine.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_384_ecc_mulmod_base_7(sp_point_384* r, const sp_digit* k,
        int map, int ct, void* heap)
{
    /* No pre-computed values. */
    return sp_384_ecc_mulmod_7(r, &p384_base, k, map, ct, heap);
}

#ifdef WOLFSSL_SP_NONBLOCK
static int sp_384_ecc_mulmod_base_7_nb(sp_ecc_ctx_t* sp_ctx, sp_point_384* r,
        const sp_digit* k, int map, int ct, void* heap)
{
    /* No pre-computed values. */
    return sp_384_ecc_mulmod_7_nb(sp_ctx, r, &p384_base, k, map, ct, heap);
}
#endif /* WOLFSSL_SP_NONBLOCK */


#else
/* Striping precomputation table.
 * 8 points combined into a table of 256 points.
 * Distance of 48 between points.
 */
static const sp_table_entry_384 p384_table[256] = {
    /* 0 */
    { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
      { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } },
    /* 1 */
    { { 0x50756649c0b528L,0x71c541ad9c707bL,0x71506d35b8838dL,
        0x4d1877fc3ce1d7L,0x6de2b645486845L,0x227025fee46c29L,
        0x134eab708a6785L },
      { 0x043dad4b03a4feL,0x517ef769535846L,0x58ba0ec14286feL,
        0x47a7fecc5d6f3aL,0x1a840c6c352196L,0x3d3bb00044c72dL,
        0x0ade2af0968571L } },
    /* 2 */
    { { 0x0647532b0c535bL,0x52a6e0a0c52c53L,0x5085aae6b24375L,
        0x7096bb501c66b5L,0x47bdb3df9b7b7bL,0x11227e9b2f0be6L,
        0x088b172704fa51L },
      { 0x0e796f2680dc64L,0x796eb06a482ebfL,0x2b441d02e04839L,
        0x19bef7312a5aecL,0x02247c38b8efb5L,0x099ed1185c329eL,
        0x1ed71d7cdb096fL } },
    /* 3 */
    { { 0x6a3cc39edffea5L,0x7a386fafd3f9c4L,0x366f78fbd8d6efL,
        0x529c7ad7873b80L,0x79eb30380eb471L,0x07c5d3b51760b7L,
        0x36ee4f1cc69183L },
      { 0x5ba260f526b605L,0x2f1dfaf0aa6e6fL,0x6bb5ca812a5752L,
        0x3002d8d1276bc9L,0x01f82269483777L,0x1df33eaaf733cdL,
        0x2b97e555f59255L } },
    /* 4 */
    { { 0x480c57f26feef9L,0x4d28741c248048L,0x0c9cf8af1f0c68L,
        0x778f6a639a8016L,0x148e88c42e9c53L,0x464051757ecfe9L,
        0x1a940bd0e2a5e1L },
      { 0x713a46b74536feL,0x1757b153e1d7ebL,0x30dc8c9da07486L,
        0x3b7460c1879b5eL,0x4b766c5317b315L,0x1b9de3aaf4d377L,
        0x245f124c2cf8f5L } },
    /* 5 */
    { { 0x426e2ee349ddd0L,0x7df3365f84a022L,0x03b005d29a7c45L,
        0x422c2337f9b5a4L,0x060494f4bde761L,0x5245e5db6da0b0L,
        0x22b71d744677f2L },
      { 0x19d097b7d5a7ceL,0x6bcb468823d34cL,0x1c3692d3be1d09L,
        0x3c80ec7aa01f02L,0x7170f2ebaafd97L,0x06cbcc7d79d4e8L,
        0x04a8da511fe760L } },
    /* 6 */
    { { 0x79c07a4fc52870L,0x6e9034a752c251L,0x603860a367382cL,
        0x56d912d6aa87d0L,0x0a348a24abaf76L,0x6c5a23da14adcbL,
        0x3cf60479a522b2L },
      { 0x18dd774c61ed22L,0x0ff30168f93b0cL,0x3f79ae15642eddL,
        0x40510f4915fbcbL,0x2c9ddfdfd1c6d6L,0x67b81b62aee55eL,
        0x2824de79b07a43L } },
    /* 7 */
    { { 0x6c66efe085c629L,0x48c212b7913470L,0x4480fd2d057f0aL,
        0x725ec7a89a9eb1L,0x78ce97ca1972b7L,0x54760ee70154fbL,
        0x362a40e27b9f93L },
      { 0x474dc7e7b14461L,0x602819389ef037L,0x1a13bc284370b2L,
        0x0193ff1295a59dL,0x79615bde6ea5d2L,0x2e76e3d886acc1L,
        0x3bb796812e2b60L } },
    /* 8 */
    { { 0x04cbb3893b9a2dL,0x4c16010a18baabL,0x19f7cb50f60831L,
        0x084f400a0936c1L,0x72f1cdd5bbbf00L,0x1b30b725dc6702L,
        0x182753e4fcc50cL },
      { 0x059a07eadaf9d6L,0x26d81e24bf603cL,0x45583c839dc399L,
        0x5579d4d6b1103aL,0x2e14ea59489ae7L,0x492f6e1c5ecc97L,
        0x03740dc05db420L } },
    /* 9 */
    { { 0x413be88510521fL,0x3753ee49982e99L,0x6cd4f7098e1cc5L,
        0x613c92bda4ec1dL,0x495378b677efe0L,0x132a2143839927L,
        0x0cf8c336291c0bL },
      { 0x7fc89d2208353fL,0x751b9da85657e1L,0x349b8a97d405c3L,
        0x65a964b048428fL,0x1adf481276455eL,0x5560c8d89c2ffcL,
        0x144fc11fac21a3L } },
    /* 10 */
    { { 0x7611f4df5bdf53L,0x634eb16234db80L,0x3c713b8e51174cL,
        0x52c3c68ac4b2edL,0x53025ba8bebe75L,0x7175d98143105bL,
        0x33ca8e266a48faL },
      { 0x0c9281d24fd048L,0x76b3177604bbf3L,0x3b26ae754e106fL,
        0x7f782275c6efc6L,0x36662538a4cb67L,0x0ca1255843e464L,
        0x2a4674e142d9bcL } },
    /* 11 */
    { { 0x303b4085d480d8L,0x68f23650f4fa7bL,0x552a3ceeba3367L,
        0x6da0c4947926e3L,0x6e0f5482eb8003L,0x0de717f3d6738aL,
        0x22e5dcc826a477L },
      { 0x1b05b27209cfc2L,0x7f0a0b65b6e146L,0x63586549ed3126L,
        0x7d628dd2b23124L,0x383423fe510391L,0x57ff609eabd569L,
        0x301f04370131baL } },
    /* 12 */
    { { 0x22fe4cdb32f048L,0x7f228ebdadbf5aL,0x02a99adb2d7c8eL,
        0x01a02e05286706L,0x62d6adf627a89fL,0x49c6ce906fbf2bL,
        0x0207256dae90b9L },
      { 0x23e036e71d6cebL,0x199ed8d604e3d7L,0x0c1a11c076d16fL,
        0x389291fb3da3f3L,0x47adc60f8f942eL,0x177048468e4b9aL,
        0x20c09f5e61d927L } },
    /* 13 */
    { { 0x129ea63615b0b8L,0x03fb4a9b588367L,0x5ad6da8da2d051L,
        0x33f782f44caeaaL,0x5a27fa80d45291L,0x6d1ed796942da4L,
        0x08435a931ef556L },
      { 0x004abb25351130L,0x6d33207c6fd7e7L,0x702130972074b7L,
        0x0e34748af900f7L,0x762a531a28c87aL,0x3a903b5a4a6ac7L,
        0x1775b79c35b105L } },
    /* 14 */
    { { 0x7470fd846612ceL,0x7dd9b431b32e53L,0x04bcd2be1a61bcL,
        0x36ed7c5b5c260bL,0x6795f5ef0a4084L,0x46e2880b401c93L,
        0x17d246c5aa8bdeL },
      { 0x707ae4db41b38dL,0x233c31f7f9558fL,0x585110ec67bdf4L,
        0x4d0cc931d0c703L,0x26fbe4356841a7L,0x64323e95239c44L,
        0x371dc9230f3221L } },
    /* 15 */
    { { 0x70ff1ae4b1ec9dL,0x7c1dcfddee0daaL,0x53286782188748L,
        0x6a5d9381e6f207L,0x3aa6c7d6523c4cL,0x6c02d83e0d97e2L,
        0x16a9c916b45312L },
      { 0x78146744b74de8L,0x742ec415269c6fL,0x237a2c6a860e79L,
        0x186baf17ba68a7L,0x4261e8789fa51fL,0x3dc136480a5903L,
        0x1953899e0cf159L } },
    /* 16 */
    { { 0x0205de2f9fbe67L,0x1706fee51c886fL,0x31a0b803c712bfL,
        0x0a6aa11ede7603L,0x2463ef2a145c31L,0x615403b30e8f4aL,
        0x3f024d6c5f5c5eL },
      { 0x53bc4fd4d01f95L,0x7d512ac15a692cL,0x72be38fcfe6aa0L,
        0x437f0b77bbca1eL,0x7fdcf70774a10eL,0x392d6c5cde37f3L,
        0x229cbce79621d1L } },
    /* 17 */
    { { 0x2de4da2341c342L,0x5ca9d4e08844e7L,0x60dd073bcf74c9L,
        0x4f30aa499b63ecL,0x23efd1eafa00d5L,0x7c99a7db1257b3L,
        0x00febc9b3171b1L },
      { 0x7e2fcf3045f8acL,0x2a642e9e3ce610L,0x23f82be69c5299L,
        0x66e49ad967c279L,0x1c895ddfd7a842L,0x798981e22f6d25L,
        0x0d595cb59322f3L } },
    /* 18 */
    { { 0x4bac017d8c1bbaL,0x73872161e7aafdL,0x0fd865f43d8163L,
        0x019d89457708b7L,0x1b983c4dd70684L,0x095e109b74d841L,
        0x25f1f0b3e0c76fL },
      { 0x4e61ddf96010e8L,0x1c40a53f542e5eL,0x01a74dfc8365f9L,
        0x69b36b92773333L,0x08e0fccc139ed3L,0x266d216ddc4269L,
        0x1f2b47717ce9b5L } },
    /* 19 */
    { { 0x0a9a81da57a41fL,0x0825d800736cccL,0x2d7876b4579d28L,
        0x3340ea6211a1e3L,0x49e89284f3ff54L,0x6276a210fe2c6eL,
        0x01c3c8f31be7cbL },
      { 0x2211da5d186e14L,0x1e6ffbb61bfea8L,0x536c7d060211d2L,
        0x320168720d1d55L,0x5835525ed667baL,0x5125e52495205eL,
        0x16113b9f3e9129L } },
    /* 20 */
    { { 0x3086073f3b236fL,0x283b03c443b5f5L,0x78e49ed0a067a7L,
        0x2a878fb79fb2b8L,0x662f04348a9337L,0x57ee2cf732d50bL,
        0x18b50dd65fd514L },
      { 0x5feb9ef2955926L,0x2c3edbef06a7b0L,0x32728dad651029L,
        0x116d00b1c4b347L,0x13254052bf1a1aL,0x3e77bf7fee5ec1L,
        0x253943ca388882L } },
    /* 21 */
    { { 0x32e5b33062e8afL,0x46ebd147a6d321L,0x2c8076dec6a15cL,
        0x7328d511ff0d80L,0x10ad7e926def0eL,0x4e8ca85937d736L,
        0x02638c26e8bf2fL },
      { 0x1deeb3fff1d63fL,0x5014417fa6e8efL,0x6e1da3de5c8f43L,
        0x7ca942b42295d9L,0x23faacf75bb4d1L,0x4a71fcd680053dL,
        0x04af4f90204dceL } },
    /* 22 */
    { { 0x23780d104cbba5L,0x4e8ff46bba9980L,0x2072a6da8d881fL,
        0x3cc3d881ae11c9L,0x2eee84ff19be89L,0x69b708ed77f004L,
        0x2a82928534eef9L },
      { 0x794331187d4543L,0x70e0f3edc0cc41L,0x3ab1fa0b84c854L,
        0x1478355c1d87baL,0x6f35fa7748ba28L,0x37b8be0531584dL,
        0x03c3141c23a69fL } },
    /* 23 */
    { { 0x5c244cdef029ddL,0x0d0f0a0cc37018L,0x17f8476604f6afL,
        0x13a6dd6ccc95c3L,0x5a242e9801b8f6L,0x211ca9cc632131L,
        0x264a6a46a4694fL },
      { 0x3ffd7235285887L,0x284be28302046fL,0x57f4b9b882f1d6L,
        0x5e21772c940661L,0x7619a735c600cfL,0x2f76f5a50c9106L,
        0x28d89c8c69de31L } },
    /* 24 */
    { { 0x799b5c91361ed8L,0x36ead8c66cd95cL,0x046c9969a91f5cL,
        0x46bbdba2a66ea9L,0x29db0e0215a599L,0x26c8849b36f756L,
        0x22c3feb31ff679L },
      { 0x585d1237b5d9efL,0x5ac57f522e8e8dL,0x617e66e8b56c41L,
        0x68826f276823cfL,0x0983f0e6f39231L,0x4e1075099084bdL,
        0x2a541f82be0416L } },
    /* 25 */
    { { 0x468a6e14cf381cL,0x4f7b845c6399edL,0x36aa29732ebe74L,
        0x19c726911ab46aL,0x2ad1fe431eec0eL,0x301e35051fd1eaL,
        0x36da815e7a1ab3L },
      { 0x05672e4507832aL,0x4ebf10fca51251L,0x6015843421cff0L,
        0x3affad832fc013L,0x712b58d9b45540L,0x1e4751d1f6213eL,
        0x0e7c2b218bafa7L } },
    /* 26 */
    { { 0x7abf784c52edf5L,0x6fcb4b135ca7b1L,0x435e46ac5f735cL,
        0x67f8364ca48c5fL,0x46d45b5fbd956bL,0x10deda6065db94L,
        0x0b37fdf85068f9L },
      { 0x74b3ba61f47ec8L,0x42c7ddf08c10ccL,0x1531a1fe422a20L,
        0x366f913d12be38L,0x6a846e30cb2edfL,0x2785898c994fedL,
        0x061be85f331af3L } },
    /* 27 */
    { { 0x23f5361dfcb91eL,0x3c26c8da6b1491L,0x6e444a1e620d65L,
        0x0c3babd5e8ac13L,0x573723ce612b82L,0x2d10e62a142c37L,
        0x3d1a114c2d98bdL },
      { 0x33950b401896f6L,0x7134efe7c12110L,0x31239fd2978472L,
        0x30333bf5978965L,0x79f93313dd769fL,0x457fb9e11662caL,
        0x190a73b251ae3cL } },
    /* 28 */
    { { 0x04dd54bb75f9a4L,0x0d7253a76ae093L,0x08f5b930792bbcL,
        0x041f79adafc265L,0x4a9ff24c61c11bL,0x0019c94e724725L,
        0x21975945d9cc2aL },
      { 0x3dfe76722b4a2bL,0x17f2f6107c1d94L,0x546e1ae2944b01L,
        0x53f1f06401e72dL,0x2dbe43fc7632d6L,0x5639132e185903L,
        0x0f2f34eb448385L } },
    /* 29 */
    { { 0x7b4cc7ec30ce93L,0x58fb6e4e4145f7L,0x5d1ed5540043b5L,
        0x19ffbe1f633adfL,0x5bfc0907259033L,0x6378f872e7ca0eL,
        0x2c127b2c01eb3cL },
      { 0x076eaf4f58839cL,0x2db54560bc9f68L,0x42ad0319b84062L,
        0x46c325d1fb019dL,0x76d2a19ee9eebcL,0x6fbd6d9e2aa8f7L,
        0x2396a598fe0991L } },
    /* 30 */
    { { 0x662fddf7fbd5e1L,0x7ca8ed22563ad3L,0x5b4768efece3b3L,
        0x643786a422d1eaL,0x36ce80494950e1L,0x1a30795b7f2778L,
        0x107f395c93f332L },
      { 0x7939c28332c144L,0x491610e3c8dc0bL,0x099ba2bfdac5fcL,
        0x5c2e3149ec29a7L,0x31b731d06f1dc3L,0x1cbb60d465d462L,
        0x3ca5461362cfd9L } },
    /* 31 */
    { { 0x653ff736ddc103L,0x7c6f2bdec0dfb2L,0x73f81b73a097d0L,
        0x05b775f84f180fL,0x56b2085af23413L,0x0d6f36256a61feL,
        0x26d3ed267fa68fL },
      { 0x54f89251d27ac2L,0x4fc6ad94a71202L,0x7ebf01969b4cc5L,
        0x7ba364dbc14760L,0x4f8370959a2587L,0x7b7631e37c6188L,
        0x29e51845f104cbL } },
    /* 32 */
    { { 0x426b775e3c647bL,0x327319e0a69180L,0x0c5cb034f6ff2fL,
        0x73aa39b98e9897L,0x7ee615f49fde6eL,0x3f712aa61e0db4L,
        0x33ca06c2ba2ce9L },
      { 0x14973541b8a543L,0x4b4e6101ba61faL,0x1d94e4233d0698L,
        0x501513c715d570L,0x1b8f8c3d01436bL,0x52f41a0445cf64L,
        0x3f709c3a75fb04L } },
    /* 33 */
    { { 0x073c0cbc7f41d6L,0x227c36f5ac8201L,0x508e110fef65d8L,
        0x0f317229529b7fL,0x45fc6030d00e24L,0x118a65d30cebeaL,
        0x3340cc4223a448L },
      { 0x204c999797612cL,0x7c05dd4ce9c5a3L,0x7b865d0a8750e4L,
        0x2f82c876ab7d34L,0x2243ddd2ab4808L,0x6834b9df8a4914L,
        0x123319ed950e0fL } },
    /* 34 */
    { { 0x50430efc14ab48L,0x7e9e4ce0d4e89cL,0x2332207fd8656dL,
        0x4a2809e97f4511L,0x2162bb1b968e2dL,0x29526d54af2972L,
        0x13edd9adcd939dL },
      { 0x793bca31e1ff7fL,0x6b959c9e4d2227L,0x628ac27809a5baL,
        0x2c71ffc7fbaa5fL,0x0c0b058f13c9ceL,0x5676eae68de2cfL,
        0x35508036ea19a4L } },
    /* 35 */
    { { 0x030bbd6dda1265L,0x67f9d12e31bb34L,0x7e4d8196e3ded3L,
        0x7b9120e5352498L,0x75857bce72d875L,0x4ead976a396caeL,
        0x31c5860553a64dL },
      { 0x1a0f792ee32189L,0x564c4efb8165d0L,0x7adc7d1a7fbcbeL,
        0x7ed7c2ccf327b7L,0x35df1b448ce33dL,0x6f67eb838997cdL,
        0x3ee37ec0077917L } },
    /* 36 */
    { { 0x345fa74d5bb921L,0x097c9a56ccfd8eL,0x00a0b5e8f971f8L,
        0x723d95223f69d4L,0x08e2e5c2777f87L,0x68b13676200109L,
        0x26ab5df0acbad6L },
      { 0x01bca7daac34aeL,0x49ca4d5f664dadL,0x110687b850914bL,
        0x1203d6f06443c9L,0x7a2ac743b04d4cL,0x40d96bd3337f82L,
        0x13728be0929c06L } },
    /* 37 */
    { { 0x631ca61127bc1aL,0x2b362fd5a77cd1L,0x17897d68568fb7L,
        0x21070af33db5b2L,0x6872e76221794aL,0x436f29fb076963L,
        0x1f2acfc0ecb7b3L },
      { 0x19bf15ca9b3586L,0x32489a4a17aee2L,0x2b31af3c929551L,
        0x0db7c420b9b19fL,0x538c39bd308c2bL,0x438775c0dea88fL,
        0x1537304d7cd07fL } },
    /* 38 */
    { { 0x53598d943caf0dL,0x1d5244bfe266adL,0x7158feb7ab3811L,
        0x1f46e13cf6fb53L,0x0dcab632eb9447L,0x46302968cfc632L,
        0x0b53d3cc5b6ec7L },
      { 0x69811ca143b7caL,0x5865bcf9f2a11aL,0x74ded7fa093b06L,
        0x1c878ec911d5afL,0x04610e82616e49L,0x1e157fe9640eb0L,
        0x046e6f8561d6c2L } },
    /* 39 */
    { { 0x631a3d3bbe682cL,0x3a4ce9dde5ba95L,0x28f11f7502f1f1L,
        0x0a55cf0c957e88L,0x495e4ec7e0a3bcL,0x30ad4d87ba365cL,
        0x0217b97a4c26f3L },
      { 0x01a9088c2e67fdL,0x7501c4c3d5e5e7L,0x265b7bb854c820L,
        0x729263c87e6b52L,0x308b9e3b8fb035L,0x33f1b86c1b23abL,
        0x0e81b8b21fc99cL } },
    /* 40 */
    { { 0x59f5a87237cac0L,0x6b3a86b0cf28b9L,0x13a53db13a4fc2L,
        0x313c169a1c253bL,0x060158304ed2bbL,0x21e171b71679bcL,
        0x10cdb754d76f86L },
      { 0x44355392ab473aL,0x64eb7cbda08caeL,0x3086426a900c71L,
        0x49016ed9f3c33cL,0x7e6354ab7e04f9L,0x17c4c91a40cd2eL,
        0x3509f461024c66L } },
    /* 41 */
    { { 0x2848f50f9b5a31L,0x68d1755b6c5504L,0x48cd5d5672ec00L,
        0x4d77421919d023L,0x1e1e349ef68807L,0x4ab5130cf415d7L,
        0x305464c6c7dbe6L },
      { 0x64eb0bad74251eL,0x64c6957e52bda4L,0x6c12583440dee6L,
        0x6d3bee05b00490L,0x186970de53dbc4L,0x3be03b37567a56L,
        0x2b553b1ebdc55bL } },
    /* 42 */
    { { 0x74dc3579efdc58L,0x26d29fed1bb71cL,0x334c825a9515afL,
        0x433c1e839273a6L,0x0d8a4e41cff423L,0x3454098fe42f8eL,
        0x1046674bf98686L },
      { 0x09a3e029c05dd2L,0x54d7cfc7fb53a7L,0x35f0ad37e14d7cL,
        0x73a294a13767b9L,0x3f519678275f4fL,0x788c63393993a4L,
        0x0781680b620123L } },
    /* 43 */
    { { 0x4c8e2ed4d5ffe8L,0x112db7d42fe4ebL,0x433b8f2d2be2edL,
        0x23e30b29a82cbcL,0x35d2f4c06ee85aL,0x78ff31ffe4b252L,
        0x0d31295c8cbff5L },
      { 0x314806ea0376a2L,0x4ea09e22bc0589L,0x0879575f00ba97L,
        0x188226d2996bb7L,0x7799368dc9411fL,0x7ab24e5c8cae36L,
        0x2b6a8e2ee4ea33L } },
    /* 44 */
    { { 0x70c7127d4ed72aL,0x24c9743ef34697L,0x2fd30e7a93683aL,
        0x538a89c246012cL,0x6c660a5394ed82L,0x79a95ea239d7e0L,
        0x3f3af3bbfb170dL },
      { 0x3b75aa779ae8c1L,0x33995a3cc0dde4L,0x7489d5720b7bfdL,
        0x599677ef9fa937L,0x3defd64c5ab44bL,0x27d52dc234522bL,
        0x2ac65d1a8450e0L } },
    /* 45 */
    { { 0x478585ec837d7dL,0x5f7971dc174887L,0x67576ed7bb296dL,
        0x5a78e529a74926L,0x640f73f4fa104bL,0x7d42a8b16e4730L,
        0x108c7eaa75fd01L },
      { 0x60661ef96e6896L,0x18d3a0761f3aa7L,0x6e71e163455539L,
        0x165827d6a7e583L,0x4e7f77e9527935L,0x790bebe2ae912eL,
        0x0b8fe9561adb55L } },
    /* 46 */
    { { 0x4d48036a9951a8L,0x371084f255a085L,0x66aeca69cea2c5L,
        0x04c99f40c745e7L,0x08dc4bfd9a0924L,0x0b0ec146b29df7L,
        0x05106218d01c91L },
      { 0x2a56ee99caedc7L,0x5d9b23a203922cL,0x1ce4c80b6a3ec4L,
        0x2666bcb75338cbL,0x185a81aac8c4aaL,0x2b4fb60a06c39eL,
        0x0327e1b3633f42L } },
    /* 47 */
    { { 0x72814710b2a556L,0x52c864f6e16534L,0x4978de66ddd9f2L,
        0x151f5950276cf0L,0x450ac6781d2dc2L,0x114b7a22dd61b2L,
        0x3b32b07f29faf8L },
      { 0x68444fdc2d6e94L,0x68526bd9e437bcL,0x0ca780e8b0d887L,
        0x69f3f850a716aaL,0x500b953e42cd57L,0x4e57744d812e7dL,
        0x000a5f0e715f48L } },
    /* 48 */
    { { 0x2aab10b8243a7dL,0x727d1f4b18b675L,0x0e6b9fdd91bbbbL,
        0x0d58269fc337e5L,0x45d6664105a266L,0x11946af1b14072L,
        0x2c2334f91e46e1L },
      { 0x6dc5f8756d2411L,0x21b34eaa25188bL,0x0d2797da83529eL,
        0x324df55616784bL,0x7039ec66d267dfL,0x2de79cdb2d108cL,
        0x14011b1ad0bde0L } },
    /* 49 */
    { { 0x2e160266425043L,0x55fbe11b712125L,0x7e3c58b3947fd9L,
        0x67aacc79c37ad3L,0x4a18e18d2dea0fL,0x5eef06e5674351L,
        0x37c3483ae33439L },
      { 0x5d5e1d75bb4045L,0x0f9d72db296efdL,0x60b1899dd894a9L,
        0x06e8818ded949aL,0x747fd853c39434L,0x0953b937d9efabL,
        0x09f08c0beeb901L } },
    /* 50 */
    { { 0x1d208a8f2d49ceL,0x54042c5be1445aL,0x1c2681fd943646L,
        0x219c8094e2e674L,0x442cddf07238b8L,0x574a051c590832L,
        0x0b72f4d61c818aL },
      { 0x7bc3cbe4680967L,0x0c8b3f25ae596bL,0x0445b0da74a9efL,
        0x0bbf46c40363b7L,0x1df575c50677a3L,0x016ea6e73d68adL,
        0x0b5207bd8db0fdL } },
    /* 51 */
    { { 0x2d39fdfea1103eL,0x2b252bf0362e34L,0x63d66c992baab9L,
        0x5ac97706de8550L,0x0cca390c39c1acL,0x0d9bec5f01b2eaL,
        0x369360a0f7e5f3L },
      { 0x6dd3461e201067L,0x70b2d3f63ed614L,0x487580487c54c7L,
        0x6020e48a44af2aL,0x1ccf80b21aab04L,0x3cf3b12d88d798L,
        0x349368eccc506fL } },
    /* 52 */
    { { 0x5a053753b0a354L,0x65e818dbb9b0aeL,0x7d5855ee50e4bfL,
        0x58dc06885c7467L,0x5ee15073e57bd3L,0x63254ebc1e07fdL,
        0x1d48e0392aa39bL },
      { 0x4e227c6558ffe9L,0x0c3033d8a82a3eL,0x7bde65c214e8d2L,
        0x6e23561559c16aL,0x5094c5e6deaffdL,0x78dca2880f1f91L,
        0x3d9d3f947d838dL } },
    /* 53 */
    { { 0x387ae5af63408fL,0x6d539aeb4e6edfL,0x7f3d3186368e70L,
        0x01a6446bc19989L,0x35288fbcd4482fL,0x39288d34ec2736L,
        0x1de9c47159ad76L },
      { 0x695dc7944f8d65L,0x3eca2c35575094L,0x0c918059a79b69L,
        0x4573a48c32a74eL,0x580d8bc8b93f52L,0x190be3a3d071eaL,
        0x2333e686b3a8cbL } },
    /* 54 */
    { { 0x2b110c7196fee2L,0x3ac70e99128a51L,0x20a6bb6b75d5e6L,
        0x5f447fa513149aL,0x560d69714cc7b2L,0x1d3ee25279fab1L,
        0x369adb2ccca959L },
      { 0x3fddb13dd821c2L,0x70bf21ba647be8L,0x64121227e3cbc9L,
        0x12633a4c892320L,0x3c15c61660f26dL,0x1932c3b3d19900L,
        0x18c718563eab71L } },
    /* 55 */
    { { 0x72ebe0fd752366L,0x681c2737d11759L,0x143c805e7ae4f0L,
        0x78ed3c2cc7b324L,0x5c16e14820254fL,0x226a4f1c4ec9f0L,
        0x2891bb915eaac6L },
      { 0x061eb453763b33L,0x07f88b81781a87L,0x72b5ac7a87127cL,
        0x7ea4e4cd7ff8b5L,0x5e8c3ce33908b6L,0x0bcb8a3d37feffL,
        0x01da9e8e7fc50bL } },
    /* 56 */
    { { 0x639dfe9e338d10L,0x32dfe856823608L,0x46a1d73bca3b9aL,
        0x2da685d4b0230eL,0x6e0bc1057b6d69L,0x7144ec724a5520L,
        0x0b067c26b87083L },
      { 0x0fc3f0eef4c43dL,0x63500f509552b7L,0x220d74af6f8b86L,
        0x038996eafa2aa9L,0x7f6750f4aee4d2L,0x3e1d3f06718720L,
        0x1ea1d37243814cL } },
    /* 57 */
    { { 0x322d4597c27050L,0x1beeb3ce17f109L,0x15e5ce2e6ef42eL,
        0x6c8be27da6b3a0L,0x66e3347f4d5f5cL,0x7172133899c279L,
        0x250aff4e548743L },
      { 0x28f0f6a43b566dL,0x0cd2437fefbca0L,0x5b1108cb36bdbaL,
        0x48a834d41fb7c2L,0x6cb8565680579fL,0x42da2412b45d9fL,
        0x33dfc1abb6c06eL } },
    /* 58 */
    { { 0x56e3c48ef96c80L,0x65667bb6c1381eL,0x09f70514375487L,
        0x1548ff115f4a08L,0x237de2d21a0710L,0x1425cdee9f43dfL,
        0x26a6a42e055b0aL },
      { 0x4ea9ea9dc7dfcbL,0x4df858583ac58aL,0x1d274f819f1d39L,
        0x26e9c56cf91fcbL,0x6cee31c7c3a465L,0x0bb8e00b108b28L,
        0x226158da117301L } },
    /* 59 */
    { { 0x5a7cd4fce73946L,0x7b6a462d0ac653L,0x732ea4bb1a3da5L,
        0x7c8e9f54711af4L,0x0a6cd55d4655f9L,0x341e6d13e4754aL,
        0x373c87098879a8L },
      { 0x7bc82e61b818bfL,0x5f2db48f44879fL,0x2a2f06833f1d28L,
        0x494e5b691a74c0L,0x17d6cf35fd6b57L,0x5f7028d1c25dfcL,
        0x377a9ab9562cb6L } },
    /* 60 */
    { { 0x4de8877e787b2eL,0x183e7352621a52L,0x2ab0509974962bL,
        0x045a450496cb8aL,0x3bf7118b5591c7L,0x7724f98d761c35L,
        0x301607e8d5a0c1L },
      { 0x0f58a3f24d4d58L,0x3771c19c464f3cL,0x06746f9c0bfafaL,
        0x56564c9c8feb52L,0x0d66d9a7d8a45fL,0x403578141193caL,
        0x00b0d0bdc19260L } },
    /* 61 */
    { { 0x571407157bdbc2L,0x138d5a1c2c0b99L,0x2ee4a8057dcbeaL,
        0x051ff2b58e9ed1L,0x067378ad9e7cdaL,0x7cc2c1db97a49eL,
        0x1e7536ccd849d6L },
      { 0x531fd95f3497c4L,0x55dc08325f61a7L,0x144e942bce32bfL,
        0x642d572f09e53aL,0x556ff188261678L,0x3e79c0d9d513d6L,
        0x0bbbc6656f6d52L } },
    /* 62 */
    { { 0x57d3eb50596edcL,0x26c520a487451dL,0x0a92db40aea8d6L,
        0x27df6345109616L,0x7733d611fd727cL,0x61d14171fef709L,
        0x36169ae417c36bL },
      { 0x6899f5d4091cf7L,0x56ce5dfe4ed0c1L,0x2c430ce5913fbcL,
        0x1b13547e0f8caeL,0x4840a8275d3699L,0x59b8ef209e81adL,
        0x22362dff5ea1a2L } },
    /* 63 */
    { { 0x7237237bd98425L,0x73258e162a9d0bL,0x0a59a1e8bb5118L,
        0x4190a7ee5d8077L,0x13684905fdbf7cL,0x31c4033a52626bL,
        0x010a30e4fbd448L },
      { 0x47623f981e909aL,0x670af7c325b481L,0x3d004241fa4944L,
        0x0905a2ca47f240L,0x58f3cdd7a187c3L,0x78b93aee05b43fL,
        0x19b91d4ef8d63bL } },
    /* 64 */
    { { 0x0d34e116973cf4L,0x4116fc9e69ee0eL,0x657ae2b4a482bbL,
        0x3522eed134d7cdL,0x741e0dde0a036aL,0x6554316a51cc7bL,
        0x00f31c6ca89837L },
      { 0x26770aa06b1dd7L,0x38233a4ceba649L,0x065a1110c96feaL,
        0x18d367839e0f15L,0x794543660558d1L,0x39b605139065dcL,
        0x29abbec071b637L } },
    /* 65 */
    { { 0x1464b401ab5245L,0x16db891b27ff74L,0x724eb49cb26e34L,
        0x74fee3bc9cc33eL,0x6a8bdbebe085eaL,0x5c2e75ca207129L,
        0x1d03f2268e6b08L },
      { 0x28b0a328e23b23L,0x645dc26209a0bcL,0x62c28990348d49L,
        0x4dd9be1fa333d0L,0x6183aac74a72e4L,0x1d6f3ee69e1d03L,
        0x2fff96db0ff670L } },
    /* 66 */
    { { 0x2358f5c6a2123fL,0x5b2bfc51bedb63L,0x4fc6674be649ecL,
        0x51fc16e44b813aL,0x2ffe10a73754c1L,0x69a0c7a053aeefL,
        0x150e605fb6b9b4L },
      { 0x179eef6b8b83c4L,0x64293b28ad05efL,0x331795fab98572L,
        0x09823eec78727dL,0x36508042b89b81L,0x65f1106adb927eL,
        0x2fc0234617f47cL } },
    /* 67 */
    { { 0x12aa244e8068dbL,0x0c834ae5348f00L,0x310fc1a4771cb3L,
        0x6c90a2f9e19ef9L,0x77946fa0573471L,0x37f5df81e5f72fL,
        0x204f5d72cbe048L },
      { 0x613c724383bba6L,0x1ce14844967e0aL,0x797c85e69aa493L,
        0x4fb15b0f2ce765L,0x5807978e2e8aa7L,0x52c75859876a75L,
        0x1554635c763d3eL } },
    /* 68 */
    { { 0x4f292200623f3bL,0x6222be53d7fe07L,0x1e02a9a08c2571L,
        0x22c6058216b912L,0x1ec20044c7ba17L,0x53f94c5efde12bL,
        0x102b8aadfe32a4L },
      { 0x45377aa927b102L,0x0d41b8062ee371L,0x77085a9018e62aL,
        0x0c69980024847cL,0x14739b423a73a9L,0x52ec6961fe3c17L,
        0x38a779c94b5a7dL } },
    /* 69 */
    { { 0x4d14008435af04L,0x363bfd8325b4e8L,0x48cdb715097c95L,
        0x1b534540f8bee0L,0x4ca1e5c90c2a76L,0x4b52c193d6eee0L,
        0x277a33c79becf5L },
      { 0x0fee0d511d3d06L,0x4627f3d6a58f8cL,0x7c81ac245119b8L,
        0x0c8d526ba1e07aL,0x3dbc242f55bac2L,0x2399df8f91fffdL,
        0x353e982079ba3bL } },
    /* 70 */
    { { 0x6405d3b0ab9645L,0x7f31abe3ee236bL,0x456170a9babbb1L,
        0x09634a2456a118L,0x5b1c6045acb9e5L,0x2c75c20d89d521L,
        0x2e27ccf5626399L },
      { 0x307cd97fed2ce4L,0x1c2fbb02b64087L,0x542a068d27e64dL,
        0x148c030b3bc6a6L,0x671129e616ade5L,0x123f40db60dafcL,
        0x07688f3c621220L } },
    /* 71 */
    { { 0x1c46b342f2c4b5L,0x27decc0b3c8f04L,0x0d9bd433464c54L,
        0x1f3d893b818572L,0x2536043b536c94L,0x57e00c4b19ebf9L,
        0x3938fb9e5ad55eL },
      { 0x6b390024c8b22fL,0x4583f97e20a976L,0x2559d24abcbad7L,
        0x67a9cabc9bd8c6L,0x73a56f09432e4aL,0x79eb0beb53a3b7L,
        0x3e19d47f6f8221L } },
    /* 72 */
    { { 0x7399cb9d10e0b2L,0x32acc1b8a36e2aL,0x287d60c2407035L,
        0x42c82420ea4b5cL,0x13f286658bc268L,0x3c91181156e064L,
        0x234b83dcdeb963L },
      { 0x79bc95486cfee6L,0x4d8fd3cb78af36L,0x07362ba5e80da8L,
        0x79d024a0d681b0L,0x6b58406907f87fL,0x4b40f1e977e58fL,
        0x38dcc6fd5fa342L } },
    /* 73 */
    { { 0x72282be1cd0abeL,0x02bd0fdfdf44e5L,0x19b0e0d2f753e4L,
        0x4514e76ce8c4c0L,0x02ebc9c8cdcc1bL,0x6ac0c0373e9fddL,
        0x0dc414af1c81a9L },
      { 0x7a109246f32562L,0x26982e6a3768edL,0x5ecd8daed76ab5L,
        0x2eaa70061eb261L,0x09e7c038a8c514L,0x2a2603cc300658L,
        0x25d93ab9e55cd4L } },
    /* 74 */
    { { 0x11b19fcbd5256aL,0x41e4d94274770fL,0x0133c1a411001fL,
        0x360bac481dbca3L,0x45908b18a9c22bL,0x1e34396fafb03aL,
        0x1b84fea7486edaL },
      { 0x183c62a71e6e16L,0x5f1dc30e93da8eL,0x6cb97b502573c3L,
        0x3708bf0964e3fcL,0x35a7f042eeacceL,0x56370da902c27fL,
        0x3a873c3b72797fL } },
    /* 75 */
    { { 0x6573c9cea4cc9bL,0x2c3b5f9d91e6dcL,0x2a90e2dbd9505eL,
        0x66a75444025f81L,0x1571fb894b03cdL,0x5d1a1f00fd26f3L,
        0x0d19a9fd618855L },
      { 0x659acd56515664L,0x7279478bd616a3L,0x09a909e76d56c3L,
        0x2fd70474250358L,0x3a1a25c850579cL,0x11b9e0f71b74ccL,
        0x1268daef3d1bffL } },
    /* 76 */
    { { 0x7f5acc46d93106L,0x5bc15512f939c8L,0x504b5f92f996deL,
        0x25965549be7a64L,0x357a3a2ae9b80dL,0x3f2bcf9c139cc0L,
        0x0a7ddd99f23b35L },
      { 0x6868f5a8a0b1c5L,0x319ec52f15b1beL,0x0770000a849021L,
        0x7f4d50287bd608L,0x62c971d28a9d7fL,0x164e89309acb72L,
        0x2a29f002cf4a32L } },
    /* 77 */
    { { 0x58a852ae11a338L,0x27e3a35f2dcef8L,0x494d5731ce9e18L,
        0x49516f33f4bb3eL,0x386b26ba370097L,0x4e8fac1ec30248L,
        0x2ac26d4c44455dL },
      { 0x20484198eb9dd0L,0x75982a0e06512bL,0x152271b9279b05L,
        0x5908a9857e36d2L,0x6a933ab45a60abL,0x58d8b1acb24fafL,
        0x28fbcf19425590L } },
    /* 78 */
    { { 0x5420e9df010879L,0x4aba72aec2f313L,0x438e544eda7494L,
        0x2e8e189ce6f7eaL,0x2f771e4efe45bdL,0x0d780293bce7efL,
        0x1569ad3d0d02acL },
      { 0x325251ebeaf771L,0x02510f1a8511e2L,0x3863816bf8aad1L,
        0x60fdb15fe6ac19L,0x4792aef52a348cL,0x38e57a104e9838L,
        0x0d171611a1df1bL } },
    /* 79 */
    { { 0x15ceb0bea65e90L,0x6e56482db339bcL,0x37f618f7b0261fL,
        0x6351abc226dabcL,0x0e999f617b74baL,0x37d3cc57af5b69L,
        0x21df2b987aac68L },
      { 0x2dddaa3a358610L,0x2da264bc560e47L,0x545615d538bf13L,
        0x1c95ac244b8cc7L,0x77de1f741852cbL,0x75d324f00996abL,
        0x3a79b13b46aa3bL } },
    /* 80 */
    { { 0x7db63998683186L,0x6849bb989d530cL,0x7b53c39ef7ed73L,
        0x53bcfbf664d3ffL,0x25ef27c57f71c7L,0x50120ee80f3ad6L,
        0x243aba40ed0205L },
      { 0x2aae5e0ee1fcebL,0x3449d0d8343fbeL,0x5b2864fb7cffc7L,
        0x64dceb5407ac3eL,0x20303a5695523dL,0x3def70812010b2L,
        0x07be937f2e9b6fL } },
    /* 81 */
    { { 0x5838f9e0540015L,0x728d8720efb9f7L,0x1ab5864490b0c8L,
        0x6531754458fdcfL,0x600ff9612440c0L,0x48735b36a585b7L,
        0x3d4aaea86b865dL },
      { 0x6898942cac32adL,0x3c84c5531f23a1L,0x3c9dbd572f7edeL,
        0x5691f0932a2976L,0x186f0db1ac0d27L,0x4fbed18bed5bc9L,
        0x0e26b0dee0b38cL } },
    /* 82 */
    { { 0x1188b4f8e60f5bL,0x602a915455b4a2L,0x60e06af289ff99L,
        0x579fe4bed999e5L,0x2bc03b15e6d9ddL,0x1689649edd66d5L,
        0x3165e277dca9d2L },
      { 0x7cb8a529cf5279L,0x57f8035b34d84dL,0x352e2eb26de8f1L,
        0x6406820c3367c4L,0x5d148f4c899899L,0x483e1408482e15L,
        0x1680bd1e517606L } },
    /* 83 */
    { { 0x5c877cc1c90202L,0x2881f158eae1f4L,0x6f45e207df4267L,
        0x59280eba1452d8L,0x4465b61e267db5L,0x171f1137e09e5cL,
        0x1368eb821daa93L },
      { 0x70fe26e3e66861L,0x52a6663170da7dL,0x71d1ce5b7d79dcL,
        0x1cffe9be1e1afdL,0x703745115a29c4L,0x73b7f897b2f65aL,
        0x02218c3a95891aL } },
    /* 84 */
    { { 0x16866db8a9e8c9L,0x4770b770123d9bL,0x4c116cf34a8465L,
        0x079b28263fc86aL,0x3751c755a72b58L,0x7bc8df1673243aL,
        0x12fff72454f064L },
      { 0x15c049b89554e7L,0x4ea9ef44d7cd9aL,0x42f50765c0d4f1L,
        0x158bb603cb011bL,0x0809dde16470b1L,0x63cad7422ea819L,
        0x38b6cd70f90d7eL } },
    /* 85 */
    { { 0x1e4aab6328e33fL,0x70575f026da3aeL,0x7e1b55c8c55219L,
        0x328d4b403d24caL,0x03b6df1f0a5bd1L,0x26b4bb8b648ed0L,
        0x17161f2f10b76aL },
      { 0x6cdb32bae8b4c0L,0x33176266227056L,0x4975fa58519b45L,
        0x254602ea511d96L,0x4e82e93e402a67L,0x0ca8b5929cdb4fL,
        0x3ae7e0a07918f5L } },
    /* 86 */
    { { 0x60f9d1fecf5b9bL,0x6257e40d2cd469L,0x6c7aa814d28456L,
        0x58aac7caac8e79L,0x703a55f0293cbfL,0x702390a0f48378L,
        0x24b9ae07218b07L },
      { 0x1ebc66cdaf24e3L,0x7d9ae5f9f8e199L,0x42055ee921a245L,
        0x035595936e4d49L,0x129c45d425c08bL,0x6486c5f19ce6ddL,
        0x027dbd5f18ba24L } },
    /* 87 */
    { { 0x7d6b78d29375fbL,0x0a3dc6ba22ae38L,0x35090fa91feaf6L,
        0x7f18587fb7b16eL,0x6e7091dd924608L,0x54e102cdbf5ff8L,
        0x31b131a4c22079L },
      { 0x368f87d6a53fb0L,0x1d3f3d69a3f240L,0x36bf5f9e40e1c6L,
        0x17f150e01f8456L,0x76e5d0835eb447L,0x662fc0a1207100L,
        0x14e3dd97a98e39L } },
    /* 88 */
    { { 0x0249d9c2663b4bL,0x56b68f9a71ba1cL,0x74b119567f9c02L,
        0x5e6f336d8c92acL,0x2ced58f9f74a84L,0x4b75a2c2a467c5L,
        0x30557011cf740eL },
      { 0x6a87993be454ebL,0x29b7076fb99a68L,0x62ae74aaf99bbaL,
        0x399f9aa8fb6c1bL,0x553c24a396dd27L,0x2868337a815ea6L,
        0x343ab6635cc776L } },
    /* 89 */
    { { 0x0e0b0eec142408L,0x79728229662121L,0x605d0ac75e6250L,
        0x49a097a01edfbeL,0x1e20cd270df6b6L,0x7438a0ca9291edL,
        0x29daa430da5f90L },
      { 0x7a33844624825aL,0x181715986985c1L,0x53a6853cae0b92L,
        0x6d98401bd925e8L,0x5a0a34f5dd5e24L,0x7b818ef53cf265L,
        0x0836e43c9d3194L } },
    /* 90 */
    { { 0x1179b70e6c5fd9L,0x0246d9305dd44cL,0x635255edfbe2fbL,
        0x5397b3523b4199L,0x59350cc47e6640L,0x2b57aa97ed4375L,
        0x37efd31abd153aL },
      { 0x7a7afa6907f4faL,0x75c10cb94e6a7eL,0x60a925ab69cc47L,
        0x2ff5bcd9239bd5L,0x13c2113e425f11L,0x56bd3d2f8a1437L,
        0x2c9adbab13774fL } },
    /* 91 */
    { { 0x4ab9f52a2e5f2bL,0x5e537e70b58903L,0x0f242658ebe4f2L,
        0x2648a1e7a5f9aeL,0x1b4c5081e73007L,0x6827d4aff51850L,
        0x3925e41726cd01L },
      { 0x56dd8a55ab3cfbL,0x72d6a31b6d5beaL,0x697bd2e5575112L,
        0x66935519a7aa12L,0x55e97dda7a3aceL,0x0e16afb4237b4cL,
        0x00b68fbff08093L } },
    /* 92 */
    { { 0x4b00366481d0d9L,0x37cb031fbfc5c4L,0x14643f6800dd03L,
        0x6793fef60fe0faL,0x4f43e329c92803L,0x1fce86b96a6d26L,
        0x0ad416975e213aL },
      { 0x7cc6a6711adcc9L,0x64b8a63c43c2d9L,0x1e6caa2a67c0d0L,
        0x610deffd17a54bL,0x57d669d5f38423L,0x77364b8f022636L,
        0x36d4d13602e024L } },
    /* 93 */
    { { 0x72e667ae50a2f5L,0x1b15c950c3a21aL,0x3ccc37c72e6dfeL,
        0x027f7e1d094fb8L,0x43ae1e90aa5d7eL,0x3f5feac3d97ce5L,
        0x0363ed0a336e55L },
      { 0x235f73d7663784L,0x5d8cfc588ad5a4L,0x10ab6ff333016eL,
        0x7d8886af2e1497L,0x549f34fd17988eL,0x3fc4fcaee69a33L,
        0x0622b133a13d9eL } },
    /* 94 */
    { { 0x6344cfa796c53eL,0x0e9a10d00136fdL,0x5d1d284a56efd8L,
        0x608b1968f8aca7L,0x2fa5a66776edcaL,0x13430c44f1609cL,
        0x1499973cb2152aL },
      { 0x3764648104ab58L,0x3226e409fadafcL,0x1513a8466459ddL,
        0x649206ec365035L,0x46149aa3f765b1L,0x3aebf0a035248eL,
        0x1ee60b8c373494L } },
    /* 95 */
    { { 0x4e9efcc15f3060L,0x5e5d50fd77cdc8L,0x071e5403516b58L,
        0x1b7d4e89b24ceaL,0x53b1fa66d6dc03L,0x457f15f892ab5fL,
        0x076332c9397260L },
      { 0x31422b79d7584bL,0x0b01d47e41ba80L,0x3e5611a3171528L,
        0x5f53b9a9fc1be4L,0x7e2fc3d82f110fL,0x006cf350ef0fbfL,
        0x123ae98ec81c12L } },
    /* 96 */
    { { 0x310d41df46e2f6L,0x2ff032a286cf13L,0x64751a721c4eadL,
        0x7b62bcc0339b95L,0x49acf0c195afa4L,0x359d48742544e5L,
        0x276b7632d9e2afL },
      { 0x656c6be182579aL,0x75b65a4d85b199L,0x04a911d1721bfaL,
        0x46e023d0e33477L,0x1ec2d580acd869L,0x540b456f398a37L,
        0x001f698210153dL } },
    /* 97 */
    { { 0x3ca35217b00dd0L,0x73961d034f4d3cL,0x4f520b61c4119dL,
        0x4919fde5cccff7L,0x4d0e0e6f38134dL,0x55c22586003e91L,
        0x24d39d5d8f1b19L },
      { 0x4d4fc3d73234dcL,0x40c50c9d5f8368L,0x149afbc86bf2b8L,
        0x1dbafefc21d7f1L,0x42e6b61355107fL,0x6e506cf4b54f29L,
        0x0f498a6c615228L } },
    /* 98 */
    { { 0x30618f437cfaf8L,0x059640658532c4L,0x1c8a4d90e96e1dL,
        0x4a327bcca4fb92L,0x54143b8040f1a0L,0x4ec0928c5a49e4L,
        0x2af5ad488d9b1fL },
      { 0x1b392bd5338f55L,0x539c0292b41823L,0x1fe35d4df86a02L,
        0x5fa5bb17988c65L,0x02b6cb715adc26L,0x09a48a0c2cb509L,
        0x365635f1a5a9f2L } },
    /* 99 */
    { { 0x58aa87bdc21f31L,0x156900c7cb1935L,0x0ec1f75ee2b6cfL,
        0x5f3e35a77ec314L,0x582dec7b9b7621L,0x3e65deb0e8202aL,
        0x325c314b8a66b7L },
      { 0x702e2a22f24d66L,0x3a20e9982014f1L,0x6424c5b86bbfb0L,
        0x424eea4d795351L,0x7fc4cce7c22055L,0x581383fceb92d7L,
        0x32b663f49ee81bL } },
    /* 100 */
    { { 0x76e2d0b648b73eL,0x59ca39fa50bddaL,0x18bb44f786a7e4L,
        0x28c8d49d464360L,0x1b8bf1d3a574eaL,0x7c670b9bf1635aL,
        0x2efb30a291f4b3L },
      { 0x5326c069cec548L,0x03bbe481416531L,0x08a415c8d93d6fL,
        0x3414a52120d383L,0x1f17a0fc6e9c5cL,0x0de9a090717463L,
        0x22d84b3c67ff07L } },
    /* 101 */
    { { 0x30b5014c3830ebL,0x70791dc1a18b37L,0x09e6ea4e24f423L,
        0x65e148a5253132L,0x446f05d5d40449L,0x7ad5d3d707c0e9L,
        0x18eedd63dd3ab5L },
      { 0x40d2eac6bb29e0L,0x5b0e9605e83c38L,0x554f2c666a56a8L,
        0x0ac27b6c94c48bL,0x1aaecdd91bafe5L,0x73c6e2bdf72634L,
        0x306dab96d19e03L } },
    /* 102 */
    { { 0x6d3e4b42772f41L,0x1aba7796f3a39bL,0x3a03fbb980e9c0L,
        0x2f2ea5da2186a8L,0x358ff444ef1fcfL,0x0798cc0329fcdcL,
        0x39a28bcc9aa46dL },
      { 0x42775c977fe4d2L,0x5eb8fc5483d6b0L,0x0bfe37c039e3f7L,
        0x429292eaf9df60L,0x188bdf4b840cd5L,0x06e10e090749cdL,
        0x0e52678e73192eL } },
    /* 103 */
    { { 0x05de80b08df5feL,0x2af8c77406c5f8L,0x53573c50a0304aL,
        0x277b10b751bca0L,0x65cf8c559132a5L,0x4c667abe25f73cL,
        0x0271809e05a575L },
      { 0x41ced461f7a2fbL,0x0889a9ebdd7075L,0x320c63f2b7760eL,
        0x4f8d4324151c63L,0x5af47315be2e5eL,0x73c62f6aee2885L,
        0x206d6412a56a97L } },
    /* 104 */
    { { 0x6b1c508b21d232L,0x3781185974ead6L,0x1aba7c3ebe1fcfL,
        0x5bdc03cd3f3a5aL,0x74a25036a0985bL,0x5929e30b7211b2L,
        0x16a9f3bc366bd7L },
      { 0x566a7057dcfffcL,0x23b5708a644bc0L,0x348cda2aa5ba8cL,
        0x466aa96b9750d4L,0x6a435ed9b20834L,0x2e7730f2cf9901L,
        0x2b5cd71d5b0410L } },
    /* 105 */
    { { 0x285ab3cee76ef4L,0x68895e3a57275dL,0x6fab2e48fd1265L,
        0x0f1de060428c94L,0x668a2b080b5905L,0x1b589dc3b0cb37L,
        0x3c037886592c9bL },
      { 0x7fb5c0f2e90d4dL,0x334eefb3d8c91aL,0x75747124700388L,
        0x547a2c2e2737f5L,0x2af9c080e37541L,0x0a295370d9091aL,
        0x0bb5c36dad99e6L } },
    /* 106 */
    { { 0x644116586f25cbL,0x0c3f41f9ee1f5dL,0x00628d43a3dedaL,
        0x16e1437aae9669L,0x6aba7861bf3e59L,0x60735631ff4c44L,
        0x345609efaa615eL },
      { 0x41f54792e6acefL,0x4791583f75864dL,0x37f2ff5c7508b1L,
        0x1288912516c3b0L,0x51a2135f6a539bL,0x3b775511f42091L,
        0x127c6afa7afe66L } },
    /* 107 */
    { { 0x79f4f4f7492b73L,0x583d967256342dL,0x51a729bff33ca3L,
        0x3977d2c22d8986L,0x066f528ba8d40bL,0x5d759d30f8eb94L,
        0x0f8e649192b408L },
      { 0x22d84e752555bbL,0x76953855c728c7L,0x3b2254e72aaaa4L,
        0x508cd4ce6c0212L,0x726296d6b5a6daL,0x7a77aa066986f3L,
        0x2267a497bbcf31L } },
    /* 108 */
    { { 0x7f3651bf825dc4L,0x3988817388c56fL,0x257313ed6c3dd0L,
        0x3feab7f3b8ffadL,0x6c0d3cb9e9c9b4L,0x1317be0a7b6ac4L,
        0x2a5f399d7df850L },
      { 0x2fe5a36c934f5eL,0x429199df88ded1L,0x435ea21619b357L,
        0x6aac6a063bac2bL,0x600c149978f5edL,0x76543aa1114c95L,
        0x163ca9c83c7596L } },
    /* 109 */
    { { 0x7dda4a3e4daedbL,0x1824cba360a4cdL,0x09312efd70e0c6L,
        0x454e68a146c885L,0x40aee762fe5c47L,0x29811cbd755a59L,
        0x34b37c95f28319L },
      { 0x77c58b08b717d2L,0x309470d9a0f491L,0x1ab9f40448e01cL,
        0x21c8bd819207b1L,0x6a01803e9361bcL,0x6e5e4c350ec415L,
        0x14fd55a91f8798L } },
    /* 110 */
    { { 0x4cee562f512a90L,0x0008361d53e390L,0x3789b307a892cfL,
        0x064f7be8770ae9L,0x41435d848762cfL,0x662204dd38baa6L,
        0x23d6dcf73f6c5aL },
      { 0x69bef2d2c75d95L,0x2b037c0c9bb43eL,0x495fb4d79a34cfL,
        0x184e140c601260L,0x60193f8d435f9cL,0x283fa52a0c3ad2L,
        0x1998635e3a7925L } },
    /* 111 */
    { { 0x1cfd458ce382deL,0x0dddbd201bbcaeL,0x14d2ae8ed45d60L,
        0x73d764ab0c24cbL,0x2a97fe899778adL,0x0dbd1e01eddfe9L,
        0x2ba5c72d4042c3L },
      { 0x27eebc3af788f1L,0x53ffc827fc5a30L,0x6d1d0726d35188L,
        0x4721275c50aa2aL,0x077125f02e690fL,0x6da8142405db5dL,
        0x126cef68992513L } },
    /* 112 */
    { { 0x3c6067035b2d69L,0x2a1ad7db2361acL,0x3debece6cad41cL,
        0x30095b30f9afc1L,0x25f50b9bd9c011L,0x79201b2f2c1da1L,
        0x3b5c151449c5bdL },
      { 0x76eff4127abdb4L,0x2d31e03ce0382aL,0x24ff21f8bda143L,
        0x0671f244fd3ebaL,0x0c1c00b6bcc6fbL,0x18de9f7c3ebefbL,
        0x33dd48c3809c67L } },
    /* 113 */
    { { 0x61d6c2722d94edL,0x7e426e31041cceL,0x4097439f1b47b0L,
        0x579e798b2d205bL,0x6a430d67f830ebL,0x0d2c676700f727L,
        0x05fea83a82f25bL },
      { 0x3f3482df866b98L,0x3dd353b6a5a9cdL,0x77fe6ae1a48170L,
        0x2f75cc2a8f7cddL,0x7442a3863dad17L,0x643de42d877a79L,
        0x0fec8a38fe7238L } },
    /* 114 */
    { { 0x79b70c0760ac07L,0x195d3af37e9b29L,0x1317ff20f7cf27L,
        0x624e1c739e7504L,0x67330ef50f943dL,0x775e8cf455d793L,
        0x17b94d2d913a9fL },
      { 0x4b627203609e7fL,0x06aac5fb93e041L,0x603c515fdc2611L,
        0x2592ca0d7ae472L,0x02395d1f50a6cbL,0x466ef9648f85d9L,
        0x297cf879768f72L } },
    /* 115 */
    { { 0x3489d67d85fa94L,0x0a6e5b739c8e04L,0x7ebb5eab442e90L,
        0x52665a007efbd0L,0x0967ca57b0d739L,0x24891f9d932b63L,
        0x3cc2d6dbadc9d3L },
      { 0x4b4773c81c5338L,0x73cd47dad7a0f9L,0x7c755bab6ae158L,
        0x50b03d6becefcaL,0x574d6e256d57f0L,0x188db4fffb92aeL,
        0x197e10118071eaL } },
    /* 116 */
    { { 0x45d0cbcba1e7f1L,0x1180056abec91aL,0x6c5f86624bbc28L,
        0x442c83f3b8e518L,0x4e16ae1843ecb4L,0x670cef2fd786c9L,
        0x205b4acb637d2cL },
      { 0x70b0e539aa8671L,0x67c982056bebd0L,0x645c831a5e7c36L,
        0x09e06951a14b32L,0x5dd610ad4c89e6L,0x41c35f20164831L,
        0x3821f29cb4cdb8L } },
    /* 117 */
    { { 0x2831ffaba10079L,0x70f6dac9ffe444L,0x1cfa32ccc03717L,
        0x01519fda22a3c8L,0x23215e815aaa27L,0x390671ad65cbf7L,
        0x03dd4d72de7d52L },
      { 0x1ecd972ee95923L,0x166f8da3813e8eL,0x33199bbd387a1aL,
        0x04525fe15e3dc7L,0x44d2ef54165898L,0x4b7e47d3dc47f7L,
        0x10d5c8db0b5d44L } },
    /* 118 */
    { { 0x176d95ba9cdb1bL,0x14025f04f23dfcL,0x49379332891687L,
        0x6625e5ccbb2a57L,0x7ac0abdbf9d0e5L,0x7aded4fbea15b2L,
        0x314844ac184d67L },
      { 0x6d9ce34f05eae3L,0x3805d2875856d2L,0x1c2122f85e40ebL,
        0x51cb9f2d483a9aL,0x367e91e20f1702L,0x573c3559838dfdL,
        0x0b282b0cb85af1L } },
    /* 119 */
    { { 0x6a12e4ef871eb5L,0x64bb517e14f5ffL,0x29e04d3aaa530bL,
        0x1b07d88268f261L,0x411be11ed16fb0L,0x1f480536db70bfL,
        0x17a7deadfd34e4L },
      { 0x76d72f30646612L,0x5a3bbb43a1b0a0L,0x5e1687440e82bfL,
        0x713b5e69481112L,0x46c3dcb499e174L,0x0862da3b4e2a24L,
        0x31cb55b4d62681L } },
    /* 120 */
    { { 0x5ffc74dae5bb45L,0x18944c37adb9beL,0x6aaa63b1ee641aL,
        0x090f4b6ee057d3L,0x4045cedd2ee00fL,0x21c2c798f7c282L,
        0x2c2c6ef38cd6bdL },
      { 0x40d78501a06293L,0x56f8caa5cc89a8L,0x7231d5f91b37aeL,
        0x655f1e5a465c6dL,0x3f59a81f9cf783L,0x09bbba04c23624L,
        0x0f71ee23bbacdeL } },
    /* 121 */
    { { 0x38d398c4741456L,0x5204c0654243c3L,0x34498c916ea77eL,
        0x12238c60e5fe43L,0x0fc54f411c7625L,0x30b2ca43aa80b6L,
        0x06bead1bb6ea92L },
      { 0x5902ba8674b4adL,0x075ab5b0fa254eL,0x58db83426521adL,
        0x5b66b6b3958e39L,0x2ce4e39890e07bL,0x46702513338b37L,
        0x363690c2ded4d7L } },
    /* 122 */
    { { 0x765642c6b75791L,0x0f4c4300d7f673L,0x404d8bbe101425L,
        0x61e91c88651f1bL,0x61ddc9bc60aed8L,0x0ef36910ce2e65L,
        0x04b44367aa63b8L },
      { 0x72822d3651b7dcL,0x4b750157a2716dL,0x091cb4f2118d16L,
        0x662ba93b101993L,0x447cbd54a1d40aL,0x12cdd48d674848L,
        0x16f10415cbec69L } },
    /* 123 */
    { { 0x0c57a3a751cd0eL,0x0833d7478fadceL,0x1e751f55686436L,
        0x489636c58e1df7L,0x26ad6da941266fL,0x22225d3559880fL,
        0x35b397c45ba0e2L },
      { 0x3ca97b70e1f2ceL,0x78e50427a8680cL,0x06137e042a8f91L,
        0x7ec40d2500b712L,0x3f0ad688ad7b0dL,0x24746fb33f9513L,
        0x3638fcce688f0bL } },
    /* 124 */
    { { 0x753163750bed6fL,0x786507cd16157bL,0x1d6ec228ce022aL,
        0x587255f42d1b31L,0x0c6adf72a3a0f6L,0x4bfeee2da33f5eL,
        0x08b7300814de6cL },
      { 0x00bf8df9a56e11L,0x75aead48fe42e8L,0x3de9bad911b2e2L,
        0x0fadb233e4b8bbL,0x5b054e8fd84f7dL,0x5eb3064152889bL,
        0x01c1c6e8c777a1L } },
    /* 125 */
    { { 0x5fa0e598f8fcb9L,0x11c129a1ae18dfL,0x5c41b482a2273bL,
        0x545664e5044c9cL,0x7e01c915bfb9abL,0x7f626e19296aa0L,
        0x20c91a9822a087L },
      { 0x273a9fbe3c378fL,0x0f126b44b7d350L,0x493764a75df951L,
        0x32dec3c367d24bL,0x1a7ae987fed9d3L,0x58a93055928b85L,
        0x11626975d7775fL } },
    /* 126 */
    { { 0x2bb174a95540a9L,0x10de02c58b613fL,0x2fa8f7b861f3eeL,
        0x44731260bdf3b3L,0x19c38ff7da41feL,0x3535a16e3d7172L,
        0x21a948b83cc7feL },
      { 0x0e6f72868bc259L,0x0c70799df3c979L,0x526919955584c3L,
        0x4d95fda04f8fa2L,0x7bb228e6c0f091L,0x4f728b88d92194L,
        0x2b361c5a136bedL } },
    /* 127 */
    { { 0x0c72ca10c53841L,0x4036ab49f9da12L,0x578408d2b7082bL,
        0x2c4903201fbf5eL,0x14722b3f42a6a8L,0x1997b786181694L,
        0x25c6f10de32849L },
      { 0x79f46d517ff2ffL,0x2dc5d97528f6deL,0x518a494489aa72L,
        0x52748f8af3cf97L,0x472da30a96bb16L,0x1be228f92465a9L,
        0x196f0c47d60479L } },
    /* 128 */
    { { 0x47dd7d139b3239L,0x049c9b06775d0fL,0x627ffc00562d5eL,
        0x04f578d5e5e243L,0x43a788ffcef8b9L,0x7db320be9dde28L,
        0x00837528b8572fL },
      { 0x2969eca306d695L,0x195b72795ec194L,0x5e1fa9b8e77e50L,
        0x4c627f2b3fbfd5L,0x4b91e0d0ee10ffL,0x5698c8d0f35833L,
        0x12d3a9431f475eL } },
    /* 129 */
    { { 0x6409457a0db57eL,0x795b35192e0433L,0x146f973fe79805L,
        0x3d49c516dfb9cfL,0x50dfc3646b3cdaL,0x16a08a2210ad06L,
        0x2b4ef5bcd5b826L },
      { 0x5ebabfee2e3e3eL,0x2e048e724d9726L,0x0a7a7ed6abef40L,
        0x71ff7f83e39ad8L,0x3405ac52a1b852L,0x2e3233357a608dL,
        0x38c1bf3b0e40e6L } },
    /* 130 */
    { { 0x59aec823e4712cL,0x6ed9878331ddadL,0x1cc6faf629f2a0L,
        0x445ff79f36c18cL,0x4edc7ed57aff3dL,0x22ee54c8bdd9e8L,
        0x35398f42d72ec5L },
      { 0x4e7a1cceee0ecfL,0x4c66a707dd1d31L,0x629ad157a23c04L,
        0x3b2c6031dc3c83L,0x3336acbcd3d96cL,0x26ce43adfce0f0L,
        0x3c869c98d699dcL } },
    /* 131 */
    { { 0x58b3cd9586ba11L,0x5d6514b8090033L,0x7c88c3bd736782L,
        0x1735f84f2130edL,0x47784095a9dee0L,0x76312c6e47901bL,
        0x1725f6ebc51455L },
      { 0x6744344bc4503eL,0x16630b4d66e12fL,0x7b3481752c3ec7L,
        0x47bb2ed1f46f95L,0x08a1a497dd1bcfL,0x1f525df2b8ed93L,
        0x0fe492ea993713L } },
    /* 132 */
    { { 0x71b8dd7268b448L,0x1743dfaf3728d7L,0x23938d547f530aL,
        0x648c3d497d0fc6L,0x26c0d769e3ad45L,0x4d25108769a806L,
        0x3fbf2025143575L },
      { 0x485bfd90339366L,0x2de2b99ed87461L,0x24a33347713badL,
        0x1674bc7073958aL,0x5bb2373ee85b5fL,0x57f9bd657e662cL,
        0x2041b248d39042L } },
    /* 133 */
    { { 0x5f01617d02f4eeL,0x2a8e31c4244b91L,0x2dab3e790229e0L,
        0x72d319ea7544afL,0x01ffb8b000cb56L,0x065e63b0daafd3L,
        0x3d7200a7111d6fL },
      { 0x4561ce1b568973L,0x37034c532dd8ecL,0x1368215020be02L,
        0x30e7184cf289ebL,0x199e0c27d815deL,0x7ee1b4dff324e5L,
        0x2f4a11de7fab5cL } },
    /* 134 */
    { { 0x33c2f99b1cdf2bL,0x1e0d78bf42a2c0L,0x64485dececaa67L,
        0x2242a41be93e92L,0x62297b1f15273cL,0x16ebfaafb02205L,
        0x0f50f805f1fdabL },
      { 0x28bb0b3a70eb28L,0x5b1c7d0160d683L,0x05c30a37959f78L,
        0x3d9301184922d2L,0x46c1ead7dbcb1aL,0x03ee161146a597L,
        0x2d413ed9a6ccc1L } },
    /* 135 */
    { { 0x685ab5f97a27c2L,0x59178214023751L,0x4ffef3c585ab17L,
        0x2bc85302aba2a9L,0x675b001780e856L,0x103c8a37f0b33dL,
        0x2241e98ece70a6L },
      { 0x546738260189edL,0x086c8f7a6b96edL,0x00832ad878a129L,
        0x0b679056ba7462L,0x020ce6264bf8c4L,0x3f9f4b4d92abfbL,
        0x3e9c55343c92edL } },
    /* 136 */
    { { 0x482cec9b3f5034L,0x08b59b3cd1fa30L,0x5a55d1bc8e58b5L,
        0x464a5259337d8eL,0x0a5b6c66ade5a5L,0x55db77b504ddadL,
        0x015992935eac35L },
      { 0x54fe51025e32fcL,0x5d7f52dbe4a579L,0x08c564a8c58696L,
        0x4482a8bec4503fL,0x440e75d9d94de9L,0x6992d768020bfaL,
        0x06c311e8ba01f6L } },
    /* 137 */
    { { 0x2a6ac808223878L,0x04d3ccb4aab0b8L,0x6e6ef09ff6e823L,
        0x15cb03ee9158dcL,0x0dc58919171bf7L,0x3273568abf3cb1L,
        0x1b55245b88d98bL },
      { 0x28e9383b1de0c1L,0x30d5009e4f1f1bL,0x334d185a56a134L,
        0x0875865dfa4c46L,0x266edf5eae3beeL,0x2e03ff16d1f7e5L,
        0x29a36bd9f0c16dL } },
    /* 138 */
    { { 0x004cff44b2e045L,0x426c96380ba982L,0x422292281e46d7L,
        0x508dd8d29d7204L,0x3a4ea73fb2995eL,0x4be64090ae07b2L,
        0x3339177a0eff22L },
      { 0x74a97ec2b3106eL,0x0c616d09169f5fL,0x1bb5d8907241a7L,
        0x661fb67f6d41bdL,0x018a88a0daf136L,0x746333a093a7b4L,
        0x3e19f1ac76424eL } },
    /* 139 */
    { { 0x542a5656527296L,0x0e7b9ce22f1bc9L,0x31b0945992b89bL,
        0x6e0570eb85056dL,0x32daf813483ae5L,0x69eeae9d59bb55L,
        0x315ad4b730b557L },
      { 0x2bc16795f32923L,0x6b02b7ba55130eL,0x1e9da67c012f85L,
        0x5616f014dabf8fL,0x777395fcd9c723L,0x2ff075e7743246L,
        0x2993538aff142eL } },
    /* 140 */
    { { 0x72dae20e552b40L,0x2e4ba69aa5d042L,0x001e563e618bd2L,
        0x28feeba3c98772L,0x648c356da2a907L,0x687e2325069ea7L,
        0x0d34ab09a394f0L },
      { 0x73c21813111286L,0x5829b53b304e20L,0x6fba574de08076L,
        0x79f7058f61614eL,0x4e71c9316f1191L,0x24ef12193e0a89L,
        0x35dc4e2bc9d848L } },
    /* 141 */
    { { 0x045e6d3b4ad1cdL,0x729c95493782f0L,0x77f59de85b361aL,
        0x5309b4babf28f8L,0x4d893d9290935fL,0x736f47f2b2669eL,
        0x23270922d757f3L },
      { 0x23a4826f70d4e9L,0x68a8c63215d33eL,0x4d6c2069205c9cL,
        0x46b2938a5eebe0L,0x41d1f1e2de3892L,0x5ca1775544bcb0L,
        0x3130629e5d19dcL } },
    /* 142 */
    { { 0x6e2681593375acL,0x117cfbabc22621L,0x6c903cd4e13ccaL,
        0x6f358f14d4bd97L,0x1bc58fa11089f1L,0x36aa2db4ac426aL,
        0x15ced8464b7ea1L },
      { 0x6966836cba7df5L,0x7c2b1851568113L,0x22b50ff2ffca66L,
        0x50e77d9f48e49aL,0x32775e9bbc7cc9L,0x403915bb0ece71L,
        0x1b8ec7cb9dd7aaL } },
    /* 143 */
    { { 0x65a888b677788bL,0x51887fac2e7806L,0x06792636f98d2bL,
        0x47bbcd59824c3bL,0x1aca908c43e6dcL,0x2e00d15c708981L,
        0x08e031c2c80634L },
      { 0x77fbc3a297c5ecL,0x10a7948af2919eL,0x10cdafb1fb6b2fL,
        0x27762309b486f0L,0x13abf26bbac641L,0x53da38478fc3eeL,
        0x3c22eff379bf55L } },
    /* 144 */
    { { 0x0163f484770ee3L,0x7f28e8942e0cbfL,0x5f86cb51b43831L,
        0x00feccd4e4782fL,0x40e5b417eafe7dL,0x79e5742bbea228L,
        0x3717154aa469beL },
      { 0x271d74a270f721L,0x40eb400890b70cL,0x0e37be81d4cb02L,
        0x786907f4e8d43fL,0x5a1f5b590a7acbL,0x048861883851fdL,
        0x11534a1e563dbbL } },
    /* 145 */
    { { 0x37a6357c525435L,0x6afe6f897b78a5L,0x7b7ff311d4f67bL,
        0x38879df15dc9f4L,0x727def7b8ba987L,0x20285dd0db4436L,
        0x156b0fc64b9243L },
      { 0x7e3a6ec0c1c390L,0x668a88d9bcf690L,0x5925aba5440dbeL,
        0x0f6891a044f593L,0x70b46edfed4d97L,0x1a6cc361bab201L,
        0x046f5bc6e160bcL } },
    /* 146 */
    { { 0x79350f076bc9d1L,0x077d9e79a586b9L,0x0896bc0c705764L,
        0x58e632b90e7e46L,0x14e87e0ad32488L,0x4b1bb3f72c6e00L,
        0x3c3ce9684a5fc5L },
      { 0x108fbaf1f703aaL,0x08405ecec17577L,0x199a8e2d44be73L,
        0x2eb22ed0067763L,0x633944deda3300L,0x20d739eb8e5efbL,
        0x2bbbd94086b532L } },
    /* 147 */
    { { 0x03c8b17a19045dL,0x6205a0a504980bL,0x67fdb3e962b9f0L,
        0x16399e01511a4bL,0x44b09fe9dffc96L,0x00a74ff44a1381L,
        0x14590deed3f886L },
      { 0x54e3d5c2a23ddbL,0x310e5138209d28L,0x613f45490c1c9bL,
        0x6bbc85d44bbec8L,0x2f85fc559e73f6L,0x0d71fa7d0fa8cbL,
        0x2898571d17fbb9L } },
    /* 148 */
    { { 0x5607a84335167dL,0x3009c1eb910f91L,0x7ce63447e62d0bL,
        0x03a0633afcf89eL,0x1234b5aaa50872L,0x5a307b534d547bL,
        0x2f4e97138a952eL },
      { 0x13914c2db0f658L,0x6cdcb47e6e75baL,0x5549169caca772L,
        0x0f20423dfeb16fL,0x6b1ae19d180239L,0x0b7b3bee9b7626L,
        0x1ca81adacfe4efL } },
    /* 149 */
    { { 0x219ec3ad19d96fL,0x3549f6548132dbL,0x699889c7aacd0bL,
        0x74602a58730b19L,0x62dc63bcece81cL,0x316f991c0c317aL,
        0x2b8627867b95e3L },
      { 0x67a25ddced1eedL,0x7e14f0eba756e7L,0x0873fbc09b0495L,
        0x0fefb0e16596adL,0x03e6cd98ef39bbL,0x1179b1cded249dL,
        0x35c79c1db1edc2L } },
    /* 150 */
    { { 0x1368309d4245bfL,0x442e55852a7667L,0x095b0f0f348b65L,
        0x6834cf459dfad4L,0x6645950c9be910L,0x06bd81288c71e6L,
        0x1b015b6e944edfL },
      { 0x7a6a83045ab0e3L,0x6afe88b9252ad0L,0x2285bd65523502L,
        0x6c78543879a282L,0x1c5e264b5c6393L,0x3a820c6a7453eeL,
        0x37562d1d61d3c3L } },
    /* 151 */
    { { 0x6c084f62230c72L,0x599490270bc6cfL,0x1d3369ddd3c53dL,
        0x516ddb5fac5da0L,0x35ab1e15011b1aL,0x5fba9106d3a180L,
        0x3be0f092a0917cL },
      { 0x57328f9fdc2538L,0x0526323fc8d5f6L,0x10cbb79521e602L,
        0x50d01167147ae2L,0x2ec7f1b3cda99eL,0x43073cc736e7beL,
        0x1ded89cadd83a6L } },
    /* 152 */
    { { 0x1d51bda65d56d5L,0x63f2fd4d2dc056L,0x326413d310ea6dL,
        0x3abba5bca92876L,0x6b9aa8bc4d6ebeL,0x1961c687f15d5dL,
        0x311cf07464c381L },
      { 0x2321b1064cd8aeL,0x6e3caac4443850L,0x3346fc4887d2d0L,
        0x1640417e0e640fL,0x4a958a52a07a9eL,0x1346a1b1cb374cL,
        0x0a793cf79beccbL } },
    /* 153 */
    { { 0x29d56cba89aaa5L,0x1581898c0b3c15L,0x1af5b77293c082L,
        0x1617ba53a006ceL,0x62dd3b384e475fL,0x71a9820c3f962aL,
        0x0e4938920b854eL },
      { 0x0b8d98849808abL,0x64c14923546de7L,0x6a20883b78a6fcL,
        0x72de211428acd6L,0x009678b47915bbL,0x21b5269ae5dae6L,
        0x313cc0e60b9457L } },
    /* 154 */
    { { 0x69ee421b1de38bL,0x44b484c6cec1c7L,0x0240596c6a8493L,
        0x2321a62c85fb9eL,0x7a10921802a341L,0x3d2a95507e45c3L,
        0x0752f40f3b6714L },
      { 0x596a38798751e6L,0x46bf186a0feb85L,0x0b23093e23b49cL,
        0x1bfa7bc5afdc07L,0x4ba96f873eefadL,0x292e453fae9e44L,
        0x2773646667b75cL } },
    /* 155 */
    { { 0x1f81a64e94f22aL,0x3125ee3d8683ddL,0x76a660a13b9582L,
        0x5aa584c3640c6eL,0x27cc99fd472953L,0x7048f4d58061d1L,
        0x379a1397ac81e8L },
      { 0x5d1ecd2b6b956bL,0x0829e0366b0697L,0x49548cec502421L,
        0x7af5e2f717c059L,0x329a25a0fec54eL,0x028e99e4bcd7f1L,
        0x071d5fe81fca78L } },
    /* 156 */
    { { 0x4b5c4aeb0fdfe4L,0x1367e11326ce37L,0x7c16f020ef5f19L,
        0x3c55303d77b471L,0x23a4457a06e46aL,0x2174426dd98424L,
        0x226f592114bd69L },
      { 0x4411b94455f15aL,0x52e0115381fae4L,0x45b6d8efbc8f7eL,
        0x58b1221bd86d26L,0x284fb6f8a7ec1fL,0x045835939ddd30L,
        0x0216960accd598L } },
    /* 157 */
    { { 0x4b61f9ec1f138aL,0x4460cd1e18502bL,0x277e4fce3c4726L,
        0x0244246d6414b9L,0x28fbfcef256984L,0x3347ed0db40577L,
        0x3b57fa9e044718L },
      { 0x4f73bcd6d1c833L,0x2c0d0dcf7f0136L,0x2010ac75454254L,
        0x7dc4f6151539a8L,0x0b8929ef6ea495L,0x517e20119d2bdfL,
        0x1e29f9a126ba15L } },
    /* 158 */
    { { 0x683a7c10470cd8L,0x0d05f0dbe0007fL,0x2f6a5026d649cdL,
        0x249ce2fdaed603L,0x116dc1e7a96609L,0x199bd8d82a0b98L,
        0x0694ad0219aeb2L },
      { 0x03a3656e864045L,0x4e552273df82a6L,0x19bcc7553d17abL,
        0x74ac536c1df632L,0x440302fb4a86f6L,0x1becec0e31c9feL,
        0x002045f8fa46b8L } },
    /* 159 */
    { { 0x5833ba384310a2L,0x1db83fad93f8baL,0x0a12713ee2f7edL,
        0x40e0f0fdcd2788L,0x1746de5fb239a5L,0x573748965cfa15L,
        0x1e3dedda0ef650L },
      { 0x6c8ca1c87607aeL,0x785dab9554fc0eL,0x649d8f91860ac8L,
        0x4436f88b52c0f9L,0x67f22ca8a5e4a3L,0x1f990fd219e4c9L,
        0x013dd21c08573fL } },
    /* 160 */
    { { 0x05d116141d161cL,0x5c1d2789da2ea5L,0x11f0d861f99f34L,
        0x692c2650963153L,0x3bd69f5329539eL,0x215898eef8885fL,
        0x041f79dd86f7f1L },
      { 0x76dcc5e96beebdL,0x7f2b50cb42a332L,0x067621cabef8abL,
        0x31e0be607054edL,0x4c67c5e357a3daL,0x5b1a63fbfb1c2bL,
        0x3112efbf5e5c31L } },
    /* 161 */
    { { 0x3f83e24c0c62f1L,0x51dc9c32aae4e0L,0x2ff89b33b66c78L,
        0x21b1c7d354142cL,0x243d8d381c84bcL,0x68729ee50cf4b7L,
        0x0ed29e0f442e09L },
      { 0x1ad7b57576451eL,0x6b2e296d6b91dcL,0x53f2b306e30f42L,
        0x3964ebd9ee184aL,0x0a32855df110e4L,0x31f2f90ddae05fL,
        0x3410cd04e23702L } },
    /* 162 */
    { { 0x60d1522ca8f2feL,0x12909237a83e34L,0x15637f80d58590L,
        0x3c72431b6d714dL,0x7c8e59a615bea2L,0x5f977b688ef35aL,
        0x071c198c0b3ab0L },
      { 0x2b54c699699b4bL,0x14da473c2fd0bcL,0x7ba818ea0ad427L,
        0x35117013940b2fL,0x6e1df6b5e609dbL,0x3f42502720b64dL,
        0x01ee7dc890e524L } },
    /* 163 */
    { { 0x12ec1448ff4e49L,0x3e2edac882522bL,0x20455ab300f93aL,
        0x5849585bd67c14L,0x0393d5aa34ba8bL,0x30f9a1f2044fa7L,
        0x1059c9377a93e0L },
      { 0x4e641cc0139e73L,0x0d9f23c9b0fa78L,0x4b2ad87e2b83f9L,
        0x1c343a9f6d9e3cL,0x1098a4cb46de4dL,0x4ddc893843a41eL,
        0x1797f4167d6e3aL } },
    /* 164 */
    { { 0x4add4675856031L,0x499bd5e5f7a0ffL,0x39ea1f1202271eL,
        0x0ecd7480d7a91eL,0x395f5e5fc10956L,0x0fa7f6b0c9f79bL,
        0x2fad4623aed6cbL },
      { 0x1563c33ae65825L,0x29881cafac827aL,0x50650baf4c45a1L,
        0x034aad988fb9e9L,0x20a6224dc5904cL,0x6fb141a990732bL,
        0x3ec9ae1b5755deL } },
    /* 165 */
    { { 0x3108e7c686ae17L,0x2e73a383b4ad8aL,0x4e6bb142ba4243L,
        0x24d355922c1d80L,0x2f850dd9a088baL,0x21c50325dd5e70L,
        0x33237dd5bd7fa4L },
      { 0x7823a39cab7630L,0x1535f71cff830eL,0x70d92ff0599261L,
        0x227154d2a2477cL,0x495e9bbb4f871cL,0x40d2034835686bL,
        0x31b08f97eaa942L } },
    /* 166 */
    { { 0x0016c19034d8ddL,0x68961627cf376fL,0x6acc90681615aeL,
        0x6bc7690c2e3204L,0x6ddf28d2fe19a2L,0x609b98f84dae4dL,
        0x0f32bfd7c94413L },
      { 0x7d7edc6b21f843L,0x49bbd2ebbc9872L,0x593d6ada7b6a23L,
        0x55736602939e9cL,0x79461537680e39L,0x7a7ee9399ca7cdL,
        0x008776f6655effL } },
    /* 167 */
    { { 0x64585f777233cfL,0x63ec12854de0f6L,0x6b7f9bbbc3f99dL,
        0x301c014b1b55d3L,0x7cf3663bbeb568L,0x24959dcb085bd1L,
        0x12366aa6752881L },
      { 0x77a74c0da5e57aL,0x3279ca93ad939fL,0x33c3c8a1ef08c9L,
        0x641b05ab42825eL,0x02f416d7d098dbL,0x7e3d58be292b68L,
        0x1864dbc46e1f46L } },
    /* 168 */
    { { 0x1da167b8153a9dL,0x47593d07d9e155L,0x386d984e12927fL,
        0x421a6f08a60c7cL,0x5ae9661c24dab3L,0x7927b2e7874507L,
        0x3266ea80609d53L },
      { 0x7d198f4c26b1e3L,0x430d4ea2c4048eL,0x58d8ab77e84ba3L,
        0x1cb14299c37297L,0x6db6031e8f695cL,0x159bd855e26d55L,
        0x3f3f6d318a73ddL } },
    /* 169 */
    { { 0x3ee958cca40298L,0x02a7e5eba32ad6L,0x43b4bab96f0e1eL,
        0x534be79062b2b1L,0x029ead089b37e3L,0x4d585da558f5aaL,
        0x1f9737eb43c376L },
      { 0x0426dfd9b86202L,0x4162866bc0a9f3L,0x18fc518e7bb465L,
        0x6db63380fed812L,0x421e117f709c30L,0x1597f8d0f5cee6L,
        0x04ffbf1289b06aL } },
    /* 170 */
    { { 0x61a1987ffa0a5fL,0x42058c7fc213c6L,0x15b1d38447d2c9L,
        0x3d5f5d7932565eL,0x5db754af445fa7L,0x5d489189fba499L,
        0x02c4c55f51141bL },
      { 0x26b15972e9993dL,0x2fc90bcbd97c45L,0x2ff60f8684b0f1L,
        0x1dc641dd339ab0L,0x3e38e6be23f82cL,0x3368162752c817L,
        0x19bba80ceb45ceL } },
    /* 171 */
    { { 0x7c6e95b4c6c693L,0x6bbc6d5efa7093L,0x74d7f90bf3bf1cL,
        0x54d5be1f0299a1L,0x7cb24f0aa427c6L,0x0a18f3e086c941L,
        0x058a1c90e4faefL },
      { 0x3d6bd016927e1eL,0x1da4ce773098b8L,0x2133522e690056L,
        0x0751416d3fc37eL,0x1beed1643eda66L,0x5288b6727d5c54L,
        0x199320e78655c6L } },
    /* 172 */
    { { 0x74575027eeaf94L,0x124bd533c3ceaeL,0x69421ab7a8a1d7L,
        0x37f2127e093f3dL,0x40281765252a08L,0x25a228798d856dL,
        0x326eca62759c4cL },
      { 0x0c337c51acb0a5L,0x122ba78c1ef110L,0x02498adbb68dc4L,
        0x67240c124b089eL,0x135865d25d9f89L,0x338a76d5ae5670L,
        0x03a8efaf130385L } },
    /* 173 */
    { { 0x3a450ac5e49beaL,0x282af80bb4b395L,0x6779eb0db1a139L,
        0x737cabdd174e55L,0x017b14ca79b5f2L,0x61fdef6048e137L,
        0x3acc12641f6277L },
      { 0x0f730746fe5096L,0x21d05c09d55ea1L,0x64d44bddb1a560L,
        0x75e5035c4778deL,0x158b7776613513L,0x7b5efa90c7599eL,
        0x2caa0791253b95L } },
    /* 174 */
    { { 0x288e5b6d53e6baL,0x435228909d45feL,0x33b4cf23b2a437L,
        0x45b352017d6db0L,0x4372d579d6ef32L,0x0fa9e5badbbd84L,
        0x3a78cff24759bbL },
      { 0x0899d2039eab6eL,0x4cf47d2f76bc22L,0x373f739a3a8c69L,
        0x09beaa5b1000b3L,0x0acdfbe83ebae5L,0x10c10befb0e900L,
        0x33d2ac4cc31be3L } },
    /* 175 */
    { { 0x765845931e08fbL,0x2a3c2a0dc58007L,0x7270da587d90e1L,
        0x1ee648b2bc8f86L,0x5d2ca68107b29eL,0x2b7064846e9e92L,
        0x3633ed98dbb962L },
      { 0x5e0f16a0349b1bL,0x58d8941f570ca4L,0x20abe376a4cf34L,
        0x0f4bd69a360977L,0x21eb07cc424ba7L,0x720d2ecdbbe6ecL,
        0x255597d5a97c34L } },
    /* 176 */
    { { 0x67bbf21a0f5e94L,0x422a3b05a64fc1L,0x773ac447ebddc7L,
        0x1a1331c08019f1L,0x01ef6d269744ddL,0x55f7be5b3b401aL,
        0x072e031c681273L },
      { 0x7183289e21c677L,0x5e0a3391f3162fL,0x5e02d9e65d914aL,
        0x07c79ea1adce2fL,0x667ca5c2e1cbe4L,0x4f287f22caccdaL,
        0x27eaa81673e75bL } },
    /* 177 */
    { { 0x5246180a078fe6L,0x67cc8c9fa3bb15L,0x370f8dd123db31L,
        0x1938dafa69671aL,0x5af72624950c5eL,0x78cc5221ebddf8L,
        0x22d616fe2a84caL },
      { 0x723985a839327fL,0x24fa95584a5e22L,0x3d8a5b3138d38bL,
        0x3829ef4a017acfL,0x4f09b00ae055c4L,0x01df84552e4516L,
        0x2a7a18993e8306L } },
    /* 178 */
    { { 0x7b6224bc310eccL,0x69e2cff429da16L,0x01c850e5722869L,
        0x2e4889443ee84bL,0x264a8df1b3d09fL,0x18a73fe478d0d6L,
        0x370b52740f9635L },
      { 0x52b7d3a9d6f501L,0x5c49808129ee42L,0x5b64e2643fd30cL,
        0x27d903fe31b32cL,0x594cb084d078f9L,0x567fb33e3ae650L,
        0x0db7be9932cb65L } },
    /* 179 */
    { { 0x19b78113ed7cbeL,0x002b2f097a1c8cL,0x70b1dc17fa5794L,
        0x786e8419519128L,0x1a45ba376af995L,0x4f6aa84b8d806cL,
        0x204b4b3bc7ca47L },
      { 0x7581a05fd94972L,0x1c73cadb870799L,0x758f6fefc09b88L,
        0x35c62ba8049b42L,0x6f5e71fc164cc3L,0x0cd738b5702721L,
        0x10021afac9a423L } },
    /* 180 */
    { { 0x654f7937e3c115L,0x5d198288b515cbL,0x4add965c25a6e3L,
        0x5a37df33cd76ffL,0x57bb7e288e1631L,0x049b69089e1a31L,
        0x383a88f4122a99L },
      { 0x4c0e4ef3d80a73L,0x553c77ac9f30e2L,0x20bb18c2021e82L,
        0x2aec0d1c4225c5L,0x397fce0ac9c302L,0x2ab0c2a246e8aaL,
        0x02e5e5190be080L } },
    /* 181 */
    { { 0x7a255a4ae03080L,0x0d68b01513f624L,0x29905bd4e48c8cL,
        0x1d81507027466bL,0x1684aaeb70dee1L,0x7dd460719f0981L,
        0x29c43b0f0a390cL },
      { 0x272567681b1f7dL,0x1d2a5f8502e0efL,0x0fd5cd6b221befL,
        0x5eb4749e9a0434L,0x7d1553a324e2a6L,0x2eefd8e86a7804L,
        0x2ad80d5335109cL } },
    /* 182 */
    { { 0x25342aef4c209dL,0x24e811ac4e0865L,0x3f209757f8ae9dL,
        0x1473ff8a5da57bL,0x340f61c3919cedL,0x7523bf85fb9bc0L,
        0x319602ebca7cceL },
      { 0x121e7541d442cbL,0x4ffa748e49c95cL,0x11493cd1d131dcL,
        0x42b215172ab6b5L,0x045fd87e13cc77L,0x0ae305df76342fL,
        0x373b033c538512L } },
    /* 183 */
    { { 0x389541e9539819L,0x769f3b29b7e239L,0x0d05f695e3232cL,
        0x029d04f0e9a9fbL,0x58b78b7a697fb8L,0x7531b082e6386bL,
        0x215d235bed95a9L },
      { 0x503947c1859c5dL,0x4b82a6ba45443fL,0x78328eab71b3a5L,
        0x7d8a77f8cb3509L,0x53fcd9802e41d4L,0x77552091976edbL,
        0x226c60ad7a5156L } },
    /* 184 */
    { { 0x77ad6a43360710L,0x0fdeabd326d7aeL,0x4012886c92104aL,
        0x2d6c378dd7ae33L,0x7e72ef2c0725f3L,0x4a4671f4ca18e0L,
        0x0afe3b4bb6220fL },
      { 0x212cf4b56e0d6aL,0x7c24d086521960L,0x0662cf71bd414dL,
        0x1085b916c58c25L,0x781eed2be9a350L,0x26880e80db6ab2L,
        0x169e356442f061L } },
    /* 185 */
    { { 0x57aa2ad748b02cL,0x68a34256772a9aL,0x1591c44962f96cL,
        0x110a9edd6e53d2L,0x31eab597e091a3L,0x603e64e200c65dL,
        0x2f66b72e8a1cfcL },
      { 0x5c79d138543f7fL,0x412524363fdfa3L,0x547977e3b40008L,
        0x735ca25436d9f7L,0x232b4888cae049L,0x27ce37a53d8f23L,
        0x34d45881a9b470L } },
    /* 186 */
    { { 0x76b95255924f43L,0x035c9f3bd1aa5dL,0x5eb71a010b4bd0L,
        0x6ce8dda7e39f46L,0x35679627ea70c0L,0x5c987767c7d77eL,
        0x1fa28952b620b7L },
      { 0x106f50b5924407L,0x1cc3435a889411L,0x0597cdce3bc528L,
        0x738f8b0d5077d1L,0x5894dd60c7dd6aL,0x0013d0721f5e2eL,
        0x344573480527d3L } },
    /* 187 */
    { { 0x2e2c1da52abf77L,0x394aa8464ad05eL,0x095259b7330a83L,
        0x686e81cf6a11f5L,0x405c7e48c93c7cL,0x65c3ca9444a2ecL,
        0x07bed6c59c3563L },
      { 0x51f9d994fb1471L,0x3c3ecfa5283b4eL,0x494dccda63f6ccL,
        0x4d07b255363a75L,0x0d2b6d3155d118L,0x3c688299fc9497L,
        0x235692fa3dea3aL } },
    /* 188 */
    { { 0x16b4d452669e98L,0x72451fa85406b9L,0x674a145d39151fL,
        0x325ffd067ae098L,0x527e7805cd1ae0L,0x422a1d1789e48dL,
        0x3e27be63f55e07L },
      { 0x7f95f6dee0b63fL,0x008e444cc74969L,0x01348f3a72b614L,
        0x000cfac81348c3L,0x508ae3e5309ce5L,0x2584fcdee44d34L,
        0x3a4dd994899ee9L } },
    /* 189 */
    { { 0x4d289cc0368708L,0x0e5ebc60dc3b40L,0x78cc44bfab1162L,
        0x77ef2173b7d11eL,0x06091718e39746L,0x30fe19319b83a4L,
        0x17e8f2988529c6L },
      { 0x68188bdcaa9f2aL,0x0e64b1350c1bddL,0x5b18ebac7cc4b3L,
        0x75315a9fcc046eL,0x36e9770fd43db4L,0x54c5857fc69121L,
        0x0417e18f3e909aL } },
    /* 190 */
    { { 0x29795db38059adL,0x6efd20c8fd4016L,0x3b6d1ce8f95a1aL,
        0x4db68f177f8238L,0x14ec7278d2340fL,0x47bd77ff2b77abL,
        0x3d2dc8cd34e9fcL },
      { 0x285980a5a83f0bL,0x08352e2d516654L,0x74894460481e1bL,
        0x17f6f3709c480dL,0x6b590d1b55221eL,0x45c100dc4c9be9L,
        0x1b13225f9d8b91L } },
    /* 191 */
    { { 0x0b905fb4b41d9dL,0x48cc8a474cb7a2L,0x4eda67e8de09b2L,
        0x1de47c829adde8L,0x118ad5b9933d77L,0x7a12665ac3f9a4L,
        0x05631a4fb52997L },
      { 0x5fb2a8e6806e63L,0x27d96bbcca369bL,0x46066f1a6b8c7bL,
        0x63b58fc7ca3072L,0x170a36229c0d62L,0x57176f1e463203L,
        0x0c7ce083e73b9cL } },
    /* 192 */
    { { 0x31caf2c09e1c72L,0x6530253219e9d2L,0x7650c98b601c57L,
        0x182469f99d56c0L,0x415f65d292b7a7L,0x30f62a55549b8eL,
        0x30f443f643f465L },
      { 0x6b35c575ddadd0L,0x14a23cf6d299eeL,0x2f0198c0967d7dL,
        0x1013058178d5bfL,0x39da601c9cc879L,0x09d8963ec340baL,
        0x1b735db13ad2a7L } },
    /* 193 */
    { { 0x20916ffdc83f01L,0x16892aa7c9f217L,0x6bff179888d532L,
        0x4adf3c3d366288L,0x41a62b954726aeL,0x3139609022aeb6L,
        0x3e8ab9b37aff7aL },
      { 0x76bbc70f24659aL,0x33fa98513886c6L,0x13b26af62c4ea6L,
        0x3c4d5826389a0cL,0x526ec28c02bf6aL,0x751ff083d79a7cL,
        0x110ac647990224L } },
    /* 194 */
    { { 0x2c6c62fa2b6e20L,0x3d37edad30c299L,0x6ef25b44b65fcaL,
        0x7470846914558eL,0x712456eb913275L,0x075a967a9a280eL,
        0x186c8188f2a2a0L },
      { 0x2f3b41a6a560b1L,0x3a8070b3f9e858L,0x140936ff0e1e78L,
        0x5fd298abe6da8aL,0x3823a55d08f153L,0x3445eafaee7552L,
        0x2a5fc96731a8b2L } },
    /* 195 */
    { { 0x06317be58edbbbL,0x4a38f3bfbe2786L,0x445b60f75896b7L,
        0x6ec7c92b5adf57L,0x07b6be8038a441L,0x1bcfe002879655L,
        0x2a2174037d6d0eL },
      { 0x776790cf9e48bdL,0x73e14a2c4ed1d3L,0x7eb5ed5f2fc2f7L,
        0x3e0aedb821b384L,0x0ee3b7e151c12fL,0x51a6a29e044bb2L,
        0x0ba13a00cb0d86L } },
    /* 196 */
    { { 0x77607d563ec8d8L,0x023fc726996e44L,0x6bd63f577a9986L,
        0x114a6351e53973L,0x3efe97989da046L,0x1051166e117ed7L,
        0x0354933dd4fb5fL },
      { 0x7699ca2f30c073L,0x4c973b83b9e6d3L,0x2017c2abdbc3e8L,
        0x0cdcdd7a26522bL,0x511070f5b23c7dL,0x70672327e83d57L,
        0x278f842b4a9f26L } },
    /* 197 */
    { { 0x0824f0d4ae972fL,0x60578dd08dcf52L,0x48a74858290fbbL,
        0x7302748bf23030L,0x184b229a178acfL,0x3e8460ade089d6L,
        0x13f2b557fad533L },
      { 0x7f96f3ae728d15L,0x018d8d40066341L,0x01fb94955a289aL,
        0x2d32ed6afc2657L,0x23f4f5e462c3acL,0x60eba5703bfc5aL,
        0x1b91cc06f16c7aL } },
    /* 198 */
    { { 0x411d68af8219b9L,0x79cca36320f4eeL,0x5c404e0ed72e20L,
        0x417cb8692e43f2L,0x305d29c7d98599L,0x3b754d5794a230L,
        0x1c97fb4be404e9L },
      { 0x7cdbafababd109L,0x1ead0eb0ca5090L,0x1a2b56095303e3L,
        0x75dea935012c8fL,0x67e31c071b1d1dL,0x7c324fbfd172c3L,
        0x157e257e6498f7L } },
    /* 199 */
    { { 0x19b00db175645bL,0x4c4f6cb69725f1L,0x36d9ce67bd47ceL,
        0x2005e105179d64L,0x7b952e717867feL,0x3c28599204032cL,
        0x0f5659d44fb347L },
      { 0x1ebcdedb979775L,0x4378d45cfd11a8L,0x14c85413ca66e9L,
        0x3dd17d681c8a4dL,0x58368e7dc23142L,0x14f3eaac6116afL,
        0x0adb45b255f6a0L } },
    /* 200 */
    { { 0x2f5e76279ad982L,0x125b3917034d09L,0x3839a6399e6ed3L,
        0x32fe0b3ebcd6a2L,0x24ccce8be90482L,0x467e26befcc187L,
        0x2828434e2e218eL },
      { 0x17247cd386efd9L,0x27f36a468d85c3L,0x65e181ef203bbfL,
        0x0433a6761120afL,0x1d607a2a8f8625L,0x49f4e55a13d919L,
        0x3367c3b7943e9dL } },
    /* 201 */
    { { 0x3391c7d1a46d4dL,0x38233d602d260cL,0x02127a0f78b7d4L,
        0x56841c162c24c0L,0x4273648fd09aa8L,0x019480bb0e754eL,
        0x3b927987b87e58L },
      { 0x6676be48c76f73L,0x01ec024e9655aeL,0x720fe1c6376704L,
        0x17e06b98885db3L,0x656adec85a4200L,0x73780893c3ce88L,
        0x0a339cdd8df664L } },
    /* 202 */
    { { 0x69af7244544ac7L,0x31ab7402084d2fL,0x67eceb7ef7cb19L,
        0x16f8583b996f61L,0x1e208d12faf91aL,0x4a91584ce4a42eL,
        0x3e08337216c93eL },
      { 0x7a6eea94f4cf77L,0x07a52894678c60L,0x302dd06b14631eL,
        0x7fddb7225c9ceaL,0x55e441d7acd153L,0x2a00d4490b0f44L,
        0x053ef125338cdbL } },
    /* 203 */
    { { 0x120c0c51584e3cL,0x78b3efca804f37L,0x662108aefb1dccL,
        0x11deb55f126709L,0x66def11ada8125L,0x05bbc0d1001711L,
        0x1ee1c99c7fa316L },
      { 0x746f287de53510L,0x1733ef2e32d09cL,0x1df64a2b0924beL,
        0x19758da8f6405eL,0x28f6eb3913e484L,0x7175a1090cc640L,
        0x048aee0d63f0bcL } },
    /* 204 */
    { { 0x1f3b1e3b0b29c3L,0x48649f4882a215L,0x485eca3a9e0dedL,
        0x4228ba85cc82e4L,0x36da1f39bc9379L,0x1659a7078499d1L,
        0x0a67d5f6c04188L },
      { 0x6ac39658afdce3L,0x0d667a0bde8ef6L,0x0ae6ec0bfe8548L,
        0x6d9cb2650571bfL,0x54bea107760ab9L,0x705c53bd340cf2L,
        0x111a86b610c70fL } },
    /* 205 */
    { { 0x7ecea05c6b8195L,0x4f8be93ce3738dL,0x305de9eb9f5d12L,
        0x2c3b9d3d474b56L,0x673691a05746c3L,0x2e3482c428c6eaL,
        0x2a8085fde1f472L },
      { 0x69d15877fd3226L,0x4609c9ec017cc3L,0x71e9b7fc1c3dbcL,
        0x4f8951254e2675L,0x63ee9d15afa010L,0x0f05775b645190L,
        0x28a0a439397ae3L } },
    /* 206 */
    { { 0x387fa03e9de330L,0x40cc32b828b6abL,0x02a482fbc04ac9L,
        0x68cad6e70429b7L,0x741877bff6f2c4L,0x48efe633d3b28bL,
        0x3e612218fe24b3L },
      { 0x6fc1d34fe37657L,0x3d04b9e1c8b5a1L,0x6a2c332ef8f163L,
        0x7ca97e2b135690L,0x37357d2a31208aL,0x29f02f2332bd68L,
        0x17c674c3e63a57L } },
    /* 207 */
    { { 0x683d9a0e6865bbL,0x5e77ec68ad4ce5L,0x4d18f236788bd6L,
        0x7f34b87204f4e3L,0x391ca40e9e578dL,0x3470ed6ddf4e23L,
        0x225544b3e50989L },
      { 0x48eda8cb4e462bL,0x2a948825cf9109L,0x473adedc7e1300L,
        0x37b843b82192edL,0x2b9ac1537dde36L,0x4efe7412732332L,
        0x29cc5981b5262bL } },
    /* 208 */
    { { 0x190d2fcad260f5L,0x7c53dd81d18027L,0x003def5f55db0eL,
        0x7f5ed25bee2df7L,0x2b87e9be167d2eL,0x2b999c7bbcd224L,
        0x1d68a2c260ad50L },
      { 0x010bcde84607a6L,0x0250de9b7e1bedL,0x746d36bfaf1b56L,
        0x3359475ff56abbL,0x7e84b9bc440b20L,0x2eaa7e3b52f162L,
        0x01165412f36a69L } },
    /* 209 */
    { { 0x639a02329e5836L,0x7aa3ee2e4d3a27L,0x5bc9b258ecb279L,
        0x4cb3dfae2d62c6L,0x08d9d3b0c6c437L,0x5a2c177d47eab2L,
        0x36120479fc1f26L },
      { 0x7609a75bd20e4aL,0x3ba414e17551fcL,0x42cd800e1b90c9L,
        0x04921811b88f9bL,0x4443697f9562fdL,0x3a8081b8186959L,
        0x3f5b5c97379e73L } },
    /* 210 */
    { { 0x6fd0e3cf13eafbL,0x3976b5415cbf67L,0x4de40889e48402L,
        0x17e4d36f24062aL,0x16ae7755cf334bL,0x2730ac94b7e0e1L,
        0x377592742f48e0L },
      { 0x5e10b18a045041L,0x682792afaae5a1L,0x19383ec971b816L,
        0x208b17dae2ffc0L,0x439f9d933179b6L,0x55485a9090bcaeL,
        0x1c316f42a2a35cL } },
    /* 211 */
    { { 0x67173897bdf646L,0x0b6956653ef94eL,0x5be3c97f7ea852L,
        0x3110c12671f08eL,0x2474076a3fc7ecL,0x53408be503fe72L,
        0x09155f53a5b44eL },
      { 0x5c804bdd4c27cdL,0x61e81eb8ffd50eL,0x2f7157fdf84717L,
        0x081f880d646440L,0x7aa892acddec51L,0x6ae70683443f33L,
        0x31ed9e8b33a75aL } },
    /* 212 */
    { { 0x0d724f8e357586L,0x1febbec91b4134L,0x6ff7b98a9475fdL,
        0x1c4d9b94e1f364L,0x2b8790499cef00L,0x42fd2080a1b31dL,
        0x3a3bbc6d9b0145L },
      { 0x75bfebc37e3ca9L,0x28db49c1723bd7L,0x50b12fa8a1f17aL,
        0x733d95bbc84b98L,0x45ede81f6c109eL,0x18f5e46fb37b5fL,
        0x34b980804aaec1L } },
    /* 213 */
    { { 0x56060c8a4f57bfL,0x0d2dfe223054c2L,0x718a5bbc03e5d6L,
        0x7b3344cc19b3b9L,0x4d11c9c054bcefL,0x1f5ad422c22e33L,
        0x2609299076f86bL },
      { 0x7b7a5fba89fd01L,0x7013113ef3b016L,0x23d5e0a173e34eL,
        0x736c14462f0f50L,0x1ef5f7ac74536aL,0x4baba6f4400ea4L,
        0x17b310612c9828L } },
    /* 214 */
    { { 0x4ebb19a708c8d3L,0x209f8c7f03d9bbL,0x00461cfe5798fbL,
        0x4f93b6ae822fadL,0x2e5b33b5ad5447L,0x40b024e547a84bL,
        0x22ffad40443385L },
      { 0x33809c888228bfL,0x559f655fefbe84L,0x0032f529fd2f60L,
        0x5a2191ece3478cL,0x5b957fcd771246L,0x6fec181f9ed123L,
        0x33eed3624136a3L } },
    /* 215 */
    { { 0x6a5df93b26139aL,0x55076598fd7134L,0x356a592f34f81dL,
        0x493c6b5a3d4741L,0x435498a4e2a39bL,0x2cd26a0d931c88L,
        0x01925ea3fc7835L },
      { 0x6e8d992b1efa05L,0x79508a727c667bL,0x5f3c15e6b4b698L,
        0x11b6c755257b93L,0x617f5af4b46393L,0x248d995b2b6656L,
        0x339db62e2e22ecL } },
    /* 216 */
    { { 0x52537a083843dcL,0x6a283c82a768c7L,0x13aa6bf25227acL,
        0x768d76ba8baf5eL,0x682977a6525808L,0x67ace52ac23b0bL,
        0x2374b5a2ed612dL },
      { 0x7139e60133c3a4L,0x715697a4f1d446L,0x4b018bf36677a0L,
        0x1dd43837414d83L,0x505ec70730d4f6L,0x09ac100907fa79L,
        0x21caad6e03217eL } },
    /* 217 */
    { { 0x0776d3999d4d49L,0x33bdd87e8bcff8L,0x1036b87f068fadL,
        0x0a9b8ffde4c872L,0x7ab2533596b1eaL,0x305a88fb965378L,
        0x3356d8fa4d65e5L },
      { 0x3366fa77d1ff11L,0x1e0bdbdcd2075cL,0x46910cefc967caL,
        0x7ce700737a1ff6L,0x1c5dc15409c9bdL,0x368436b9bdb595L,
        0x3e7ccd6560b5efL } },
    /* 218 */
    { { 0x1443789422c792L,0x524792b1717f2bL,0x1f7c1d95048e7aL,
        0x5cfe2a225b0d12L,0x245594d29ce85bL,0x20134d254ce168L,
        0x1b83296803921aL },
      { 0x79a78285b3beceL,0x3c738c3f3124d6L,0x6ab9d1fe0907cdL,
        0x0652ceb7fc104cL,0x06b5f58c8ae3fdL,0x486959261c5328L,
        0x0b3813ae677c90L } },
    /* 219 */
    { { 0x66b9941ac37b82L,0x651a4b609b0686L,0x046711edf3fc31L,
        0x77f89f38faa89bL,0x2683ddbf2d5edbL,0x389ef1dfaa3c25L,
        0x20b3616e66273eL },
      { 0x3c6db6e0cb5d37L,0x5d7ae5dc342bc4L,0x74a1dc6c52062bL,
        0x6f7c0bec109557L,0x5c51f7bc221d91L,0x0d7b5880745288L,
        0x1c46c145c4b0ddL } },
    /* 220 */
    { { 0x59ed485ea99eccL,0x201b71956bc21dL,0x72d5c32f73de65L,
        0x1aefd76547643eL,0x580a452cfb2c2dL,0x7cb1a63f5c4dc9L,
        0x39a8df727737aaL },
      { 0x365a341deca452L,0x714a1ad1689cbaL,0x16981d12c42697L,
        0x5a124f4ac91c75L,0x1b2e3f2fedc0dbL,0x4a1c72b8e9d521L,
        0x3855b4694e4e20L } },
    /* 221 */
    { { 0x16b3d047181ae9L,0x17508832f011afL,0x50d33cfeb2ebd1L,
        0x1deae237349984L,0x147c641aa6adecL,0x24a9fb4ebb1ddbL,
        0x2b367504a7a969L },
      { 0x4c55a3d430301bL,0x379ef6a5d492cbL,0x3c56541fc0f269L,
        0x73a546e91698ceL,0x2c2b62ee0b9b5dL,0x6284184d43d0efL,
        0x0e1f5cf6a4b9f0L } },
    /* 222 */
    { { 0x44833e8cd3fdacL,0x28e6665cb71c27L,0x2f8bf87f4ddbf3L,
        0x6cc6c767fb38daL,0x3bc114d734e8b5L,0x12963d5a78ca29L,
        0x34532a161ece41L },
      { 0x2443af5d2d37e9L,0x54e6008c8c452bL,0x2c55d54111cf1bL,
        0x55ac7f7522575aL,0x00a6fba3f8575fL,0x3f92ef3b793b8dL,
        0x387b97d69ecdf7L } },
    /* 223 */
    { { 0x0b464812d29f46L,0x36161daa626f9aL,0x5202fbdb264ca5L,
        0x21245805ff1304L,0x7f9c4a65657885L,0x542d3887f9501cL,
        0x086420deef8507L },
      { 0x5e159aa1b26cfbL,0x3f0ef5ffd0a50eL,0x364b29663a432aL,
        0x49c56888af32a8L,0x6f937e3e0945d1L,0x3cbdeec6d766cdL,
        0x2d80d342ece61aL } },
    /* 224 */
    { { 0x255e3026d8356eL,0x4ddba628c4de9aL,0x074323b593e0d9L,
        0x333bdb0a10eefbL,0x318b396e473c52L,0x6ebb5a95efd3d3L,
        0x3f3bff52aa4e4fL },
      { 0x3138a111c731d5L,0x674365e283b308L,0x5585edd9c416f2L,
        0x466763d9070fd4L,0x1b568befce8128L,0x16eb040e7b921eL,
        0x3d5c898687c157L } },
    /* 225 */
    { { 0x14827736973088L,0x4e110d53f301e6L,0x1f811b09870023L,
        0x53b5e500dbcacaL,0x4ddf0df1e6a7dcL,0x1e9575fb10ce35L,
        0x3fdc153644d936L },
      { 0x763547e2260594L,0x26e5ae764efc59L,0x13be6f4d791a29L,
        0x2021e61e3a0cf1L,0x339cd2b4a1c202L,0x5c7451e08f5121L,
        0x3728b3a851be68L } },
    /* 226 */
    { { 0x78873653277538L,0x444b9ed2ee7156L,0x79ac8b8b069cd3L,
        0x5f0e90933770e8L,0x307662c615389eL,0x40fe6d95a80057L,
        0x04822170cf993cL },
      { 0x677d5690fbfec2L,0x0355af4ae95cb3L,0x417411794fe79eL,
        0x48daf87400a085L,0x33521d3b5f0aaaL,0x53567a3be00ff7L,
        0x04712ccfb1cafbL } },
    /* 227 */
    { { 0x2b983283c3a7f3L,0x579f11b146a9a6L,0x1143d3b16a020eL,
        0x20f1483ef58b20L,0x3f03e18d747f06L,0x3129d12f15de37L,
        0x24c911f7222833L },
      { 0x1e0febcf3d5897L,0x505e26c01cdaacL,0x4f45a9adcff0e9L,
        0x14dfac063c5cebL,0x69e5ce713fededL,0x3481444a44611aL,
        0x0ea49295c7fdffL } },
    /* 228 */
    { { 0x64554cb4093beeL,0x344b4b18dd81f6L,0x350f43b4de9b59L,
        0x28a96a220934caL,0x4aa8da5689a515L,0x27171cbd518509L,
        0x0cfc1753f47c95L },
      { 0x7dfe091b615d6eL,0x7d1ee0aa0fb5c1L,0x145eef3200b7b5L,
        0x33fe88feeab18fL,0x1d62d4f87453e2L,0x43b8db4e47fff1L,
        0x1572f2b8b8f368L } },
    /* 229 */
    { { 0x6bc94e6b4e84f3L,0x60629dee586a66L,0x3bbad5fe65ca18L,
        0x217670db6c2fefL,0x0320a7f4e3272aL,0x3ccff0d976a6deL,
        0x3c26da8ae48cccL },
      { 0x53ecf156778435L,0x7533064765a443L,0x6c5c12f03ca5deL,
        0x44f8245350dabfL,0x342cdd777cf8b3L,0x2b539c42e9f58dL,
        0x10138affc279b1L } },
    /* 230 */
    { { 0x1b135e204c5ddbL,0x40887dfeaa1d37L,0x7fb0ef83da76ffL,
        0x521f2b79af55a5L,0x3f9b38b4c3f0d0L,0x20a9838cce61ceL,
        0x24bb4e2f4b1e32L },
      { 0x003f6aa386e27cL,0x68df59db0a0f8eL,0x21677d5192e713L,
        0x14ab9757501276L,0x411944af961524L,0x3184f39abc5c3fL,
        0x2a8dda80ca078dL } },
    /* 231 */
    { { 0x0592233cdbc95cL,0x54d5de5c66f40fL,0x351caa1512ab86L,
        0x681bdbee020084L,0x6ee2480c853e68L,0x6a5a44262b918fL,
        0x06574e15a3b91dL },
      { 0x31ba03dacd7fbeL,0x0c3da7c18a57a9L,0x49aaaded492d6bL,
        0x3071ff53469e02L,0x5efb4f0d7248c6L,0x6db5fb67f12628L,
        0x29cff668e3d024L } },
    /* 232 */
    { { 0x1b9ef3bb1b17ceL,0x6ccf8c24fe6312L,0x34c15487f45008L,
        0x1a84044095972cL,0x515073a47e449eL,0x2ddc93f9097feeL,
        0x1008fdc894c434L },
      { 0x08e5edb73399faL,0x65b1aa65547d4cL,0x3a117a1057c498L,
        0x7e16c3089d13acL,0x502f2ae4b6f851L,0x57a70f3eb62673L,
        0x111b48a9a03667L } },
    /* 233 */
    { { 0x5023024be164f1L,0x25ad117032401eL,0x46612b3bfe3427L,
        0x2f4f406a8a02b7L,0x16a93a5c4ddf07L,0x7ee71968fcdbe9L,
        0x2267875ace37daL },
      { 0x687e88b59eb2a6L,0x3ac7368fe716d3L,0x28d953a554a036L,
        0x34d52c0acca08fL,0x742a7cf8dd4fd9L,0x10bfeb8575ea60L,
        0x290e454d868dccL } },
    /* 234 */
    { { 0x4e72a3a8a4bdd2L,0x1ba36d1dee04d5L,0x7a43136b63195bL,
        0x6ca8e286a519f3L,0x568e64aece08a9L,0x571d5000b5c10bL,
        0x3f75e9f5dbdd40L },
      { 0x6fb0a698d6fa45L,0x0ce42209d7199cL,0x1f68275f708a3eL,
        0x5749832e91ec3cL,0x6c3665521428b2L,0x14b2bf5747bd4aL,
        0x3b6f940e42a22bL } },
    /* 235 */
    { { 0x4da0adbfb26c82L,0x16792a585f39acL,0x17df9dfda3975cL,
        0x4796b4afaf479bL,0x67be67234e0020L,0x69df5f201dda25L,
        0x09f71a4d12b3dcL },
      { 0x64ff5ec260a46aL,0x579c5b86385101L,0x4f29a7d549f697L,
        0x4e64261242e2ebL,0x54ecacdfb6b296L,0x46e0638b5fddadL,
        0x31eefd3208891dL } },
    /* 236 */
    { { 0x5b72c749fe01b2L,0x230cf27523713aL,0x533d1810e0d1e1L,
        0x5590db7d1dd1e2L,0x7b8ab73e8e43d3L,0x4c8a19bd1c17caL,
        0x19222ce9f74810L },
      { 0x6398b3dddc4582L,0x0352b7d88dfd53L,0x3c55b4e10c5a63L,
        0x38194d13f8a237L,0x106683fd25dd87L,0x59e0b62443458eL,
        0x196cb70aa9cbb9L } },
    /* 237 */
    { { 0x2885f7cd021d63L,0x162bfd4c3e1043L,0x77173dcf98fcd1L,
        0x13d4591d6add36L,0x59311154d0d8f2L,0x74336e86e79b8aL,
        0x13faadc5661883L },
      { 0x18938e7d9ec924L,0x14bcda8fcaa0a1L,0x706d85d41a1355L,
        0x0ac34520d168deL,0x5a92499fe17826L,0x36c2e3b4f00600L,
        0x29c2fd7b5f63deL } },
    /* 238 */
    { { 0x41250dfe2216c5L,0x44a0ec0366a217L,0x575bc1adf8b0dfL,
        0x5ff5cdbdb1800bL,0x7843d4dde8ca18L,0x5fa9e420865705L,
        0x235c38be6c6b02L },
      { 0x473b78aae91abbL,0x39470c6051e44bL,0x3f973cc2dc08c3L,
        0x2837932c5c91f6L,0x25e39ed754ec25L,0x1371c837118e53L,
        0x3b99f3b0aeafe2L } },
    /* 239 */
    { { 0x03acf51be46c65L,0x271fceacbaf5c3L,0x476589ed3a5e25L,
        0x78ec8c3c3c399cL,0x1f5c8bf4ac4c19L,0x730bb733ec68d2L,
        0x29a37e00dd287eL },
      { 0x448ed1bf92b5faL,0x10827c17b86478L,0x55e6fc05b28263L,
        0x0af1226c73a66aL,0x0b66e5df0d09c1L,0x26128315a02682L,
        0x22d84932c5e808L } },
    /* 240 */
    { { 0x5ec3afc26e3392L,0x08e142e45c0084L,0x4388d5ad0f01feL,
        0x0f7acd36e6140cL,0x028c14ed97dffbL,0x311845675a38c6L,
        0x01c1c8f09a3062L },
      { 0x5a302f4cf49e7dL,0x79267e254a44e1L,0x746165052317a1L,
        0x53a09263a566e8L,0x7d478ad5f73abcL,0x187ce5c947dad3L,
        0x18564e1a1ec45fL } },
    /* 241 */
    { { 0x7b9577a9aa0486L,0x766b40c7aaaef6L,0x1f6a411f5db907L,
        0x4543dd4d80beaeL,0x0ad938c7482806L,0x451568bf4b9be1L,
        0x3367ec85d30a22L },
      { 0x5446425747843dL,0x18d94ac223c6b2L,0x052ff3a354d359L,
        0x0b4933f89723f5L,0x03fb517740e056L,0x226b892871dddaL,
        0x2768c2b753f0fdL } },
    /* 242 */
    { { 0x685282ccfa5200L,0x411ed433627b89L,0x77d5c9b8bc9c1dL,
        0x4a13ef2ee5cd29L,0x5582a612407c9eL,0x2307cb42fc3aa9L,
        0x2e661df79956b8L },
      { 0x0e972b015254deL,0x5b63e14def8adeL,0x06995be2ca4a95L,
        0x6cc0cc1e94bf27L,0x7ed8499fe0052aL,0x671a6ca5a5e0f9L,
        0x31e10d4ba10f05L } },
    /* 243 */
    { { 0x690af07e9b2d8aL,0x6030af9e32c8ddL,0x45c7ca3bf2b235L,
        0x40959077b76c81L,0x61eee7f70d5a96L,0x6b04f6aafe9e38L,
        0x3c726f55f1898dL },
      { 0x77d0142a1a6194L,0x1c1631215708b9L,0x403a4f0a9b7585L,
        0x066c8e29f7cef0L,0x6fc32f98cf575eL,0x518a09d818c297L,
        0x34144e99989e75L } },
    /* 244 */
    { { 0x6adbada859fb6aL,0x0dcfb6506ccd51L,0x68f88b8d573e0dL,
        0x4b1ce35bd9af30L,0x241c8293ece2c9L,0x3b5f402c5c4adeL,
        0x34b9b1ee6fde87L },
      { 0x5e625340075e63L,0x54c3f3d9050da1L,0x2a3f9152509016L,
        0x3274e46111bc18L,0x3a7504fd01ac73L,0x4169b387a43209L,
        0x35626f852bc6d4L } },
    /* 245 */
    { { 0x576a4f4662e53bL,0x5ea3f20eecec26L,0x4e5f02be5cd7b0L,
        0x72cc5ac3314be8L,0x0f604ed3201fe9L,0x2a29378ea54bceL,
        0x2d52bd4d6ec4b6L },
      { 0x6a4c2b212c1c76L,0x778fd64a1bfa6dL,0x326828691863d6L,
        0x5616c8bd06a336L,0x5fab552564da4dL,0x46640cab3e91d2L,
        0x1d21f06427299eL } },
    /* 246 */
    { { 0x2bfe37dde98e9cL,0x164c54822332ebL,0x5b736c7df266e4L,
        0x59dab3a8da084cL,0x0ae1eab346f118L,0x182090a4327e3fL,
        0x07b13489dae2e6L },
      { 0x3bc92645452baaL,0x30b159894ae574L,0x5b947c5c78e1f4L,
        0x18f0e004a3c77fL,0x48ca8f357077d9L,0x349ffdcef9bca9L,
        0x3ed224bfd54772L } },
    /* 247 */
    { { 0x1bdad02db8dff8L,0x69fab4450b44b6L,0x3b6802d187518bL,
        0x098368d8eb556cL,0x3fe1943fbefcf4L,0x008851d0de6d42L,
        0x322cbc4605fe25L },
      { 0x2528aaf0d51afbL,0x7d48a9363a0cecL,0x4ba8f77d9a8f8bL,
        0x7dee903437d6c7L,0x1ff5a0d9ccc4b4L,0x34d9bd2fa99831L,
        0x30d9e4f58667c6L } },
    /* 248 */
    { { 0x38909b51b85197L,0x7ba16992512bd4L,0x2c776cfcfffec5L,
        0x2be7879075843cL,0x557e2b05d28ffcL,0x641b17bc5ce357L,
        0x1fcaf8a3710306L },
      { 0x54dca2299a2d48L,0x745d06ef305acaL,0x7c41c65c6944c2L,
        0x679412ec431902L,0x48f2b15ee62827L,0x341a96d8afe06eL,
        0x2a78fd3690c0e1L } },
    /* 249 */
    { { 0x6b7cec83fbc9c6L,0x238e8a82eefc67L,0x5d3c1d9ff0928cL,
        0x55b816d6409bbfL,0x7969612adae364L,0x55b6ff96db654eL,
        0x129beca10073a9L },
      { 0x0b1d2acdfc73deL,0x5d1a3605fa64bdL,0x436076146743beL,
        0x64044b89fcce0cL,0x7ae7b3c18f7fafL,0x7f083ee27cea36L,
        0x0292cd0d7c1ff0L } },
    /* 250 */
    { { 0x5a3c4c019b7d2eL,0x1a35a9b89712fbL,0x38736cc4f18c72L,
        0x603dd832a44e6bL,0x000d1d44aed104L,0x69b1f2fc274ebeL,
        0x03a7b993f76977L },
      { 0x299f3b3e346910L,0x5243f45295afd5L,0x34342cbfa588bdL,
        0x72c40dd1155510L,0x718024fed2f991L,0x2f935e765ad82aL,
        0x246799ea371fb8L } },
    /* 251 */
    { { 0x24fe4c76250533L,0x01cafb02fdf18eL,0x505cb25d462882L,
        0x3e038175157d87L,0x7e3e99b10cdeb1L,0x38b7e72ebc7936L,
        0x081845f7c73433L },
      { 0x049e61be05ebd5L,0x6ab82d8f0581f6L,0x62adffb427ac2eL,
        0x19431f809d198dL,0x36195f6c58b1d6L,0x22cc4c9dedc9a7L,
        0x24b146d8e694fcL } },
    /* 252 */
    { { 0x7c7bc8288b364dL,0x5c10f683cb894aL,0x19a62a68452958L,
        0x1fc24dcb4ce90eL,0x726baa4ed9581fL,0x1f34447dde73d6L,
        0x04c56708f30a21L },
      { 0x131e583a3f4963L,0x071215b4d502e7L,0x196aca542e5940L,
        0x3afd5a91f7450eL,0x671b6eedf49497L,0x6aac7aca5c29e4L,
        0x3fb512470f138bL } },
    /* 253 */
    { { 0x5eadc3f4eb453eL,0x16c795ba34b666L,0x5d7612a4697fddL,
        0x24dd19bb499e86L,0x415b89ca3eeb9bL,0x7c83edf599d809L,
        0x13bc64c9b70269L },
      { 0x52d3243dca3233L,0x0b21444b3a96a7L,0x6d551bc0083b90L,
        0x4f535b88c61176L,0x11e61924298010L,0x0a155b415bb61dL,
        0x17f94fbd26658fL } },
    /* 254 */
    { { 0x2dd06b90c28c65L,0x48582339c8fa6eL,0x01ac8bf2085d94L,
        0x053e660e020fdcL,0x1bece667edf07bL,0x4558f2b33ce24cL,
        0x2f1a766e8673fcL },
      { 0x1d77cd13c06819L,0x4d5dc5056f3a01L,0x18896c6fa18d69L,
        0x120047ca76d625L,0x6af8457d4f4e45L,0x70ddc53358b60aL,
        0x330e11130e82f0L } },
    /* 255 */
    { { 0x0643b1cd4c2356L,0x10a2ea0a8f7c92L,0x2752513011d029L,
        0x4cd4c50321f579L,0x5fdf9ba5724792L,0x2f691653e2ddc0L,
        0x0cfed3d84226cbL },
      { 0x704902a950f955L,0x069bfdb87bbf0cL,0x5817eeda8a5f84L,
        0x1914cdd9089905L,0x0e4a323d7b93f4L,0x1cc3fc340af0b2L,
        0x23874161bd6303L } },
};

/* Multiply the base point of P384 by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * Stripe implementation.
 * Pre-generated: 2^0, 2^48, ...
 * Pre-generated: products of all combinations of above.
 * 8 doubles and adds (with qz=1)
 *
 * r     Resulting point.
 * k     Scalar to multiply by.
 * map   Indicates whether to convert result to affine.
 * ct    Constant time required.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_384_ecc_mulmod_base_7(sp_point_384* r, const sp_digit* k,
        int map, int ct, void* heap)
{
    return sp_384_ecc_mulmod_stripe_7(r, &p384_base, p384_table,
                                      k, map, ct, heap);
}

#endif

/* Multiply the base point of P384 by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * km    Scalar to multiply by.
 * r     Resulting point.
 * map   Indicates whether to convert result to affine.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_mulmod_base_384(const mp_int* km, ecc_point* r, int map, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_384* point = NULL;
    sp_digit* k = NULL;
#else
    sp_point_384  point[1];
    sp_digit k[7];
#endif
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    point = (sp_point_384*)XMALLOC(sizeof(sp_point_384), heap,
                                         DYNAMIC_TYPE_ECC);
    if (point == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7, heap,
                               DYNAMIC_TYPE_ECC);
        if (k == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        sp_384_from_mp(k, 7, km);

            err = sp_384_ecc_mulmod_base_7(point, k, map, 1, heap);
    }
    if (err == MP_OKAY) {
        err = sp_384_point_to_ecc_point_7(point, r);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (k != NULL)
        XFREE(k, heap, DYNAMIC_TYPE_ECC);
    if (point != NULL)
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

/* Multiply the base point of P384 by the scalar, add point a and return
 * the result. If map is true then convert result to affine coordinates.
 *
 * km      Scalar to multiply by.
 * am      Point to add to scalar multiply result.
 * inMont  Point to add is in montgomery form.
 * r       Resulting point.
 * map     Indicates whether to convert result to affine.
 * heap    Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_mulmod_base_add_384(const mp_int* km, const ecc_point* am,
        int inMont, ecc_point* r, int map, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_384* point = NULL;
    sp_digit* k = NULL;
#else
    sp_point_384 point[2];
    sp_digit k[7 + 7 * 2 * 6];
#endif
    sp_point_384* addP = NULL;
    sp_digit* tmp = NULL;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    point = (sp_point_384*)XMALLOC(sizeof(sp_point_384) * 2, heap,
                                         DYNAMIC_TYPE_ECC);
    if (point == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        k = (sp_digit*)XMALLOC(
            sizeof(sp_digit) * (7 + 7 * 2 * 6),
            heap, DYNAMIC_TYPE_ECC);
        if (k == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        addP = point + 1;
        tmp = k + 7;

        sp_384_from_mp(k, 7, km);
        sp_384_point_from_ecc_point_7(addP, am);
    }
    if ((err == MP_OKAY) && (!inMont)) {
        err = sp_384_mod_mul_norm_7(addP->x, addP->x, p384_mod);
    }
    if ((err == MP_OKAY) && (!inMont)) {
        err = sp_384_mod_mul_norm_7(addP->y, addP->y, p384_mod);
    }
    if ((err == MP_OKAY) && (!inMont)) {
        err = sp_384_mod_mul_norm_7(addP->z, addP->z, p384_mod);
    }
    if (err == MP_OKAY) {
            err = sp_384_ecc_mulmod_base_7(point, k, 0, 0, heap);
    }
    if (err == MP_OKAY) {
            sp_384_proj_point_add_7(point, point, addP, tmp);

        if (map) {
                sp_384_map_7(point, point, tmp);
        }

        err = sp_384_point_to_ecc_point_7(point, r);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (k != NULL)
        XFREE(k, heap, DYNAMIC_TYPE_ECC);
    if (point)
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
                                                        defined(HAVE_ECC_VERIFY)
#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN | HAVE_ECC_SIGN | HAVE_ECC_VERIFY */
/* Add 1 to a. (a = a + 1)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_384_add_one_7(sp_digit* a)
{
    a[0]++;
    sp_384_norm_7(a);
}

/* Read big endian unsigned byte array into r.
 *
 * r  A single precision integer.
 * size  Maximum number of bytes to convert
 * a  Byte array.
 * n  Number of bytes in array to read.
 */
static void sp_384_from_bin(sp_digit* r, int size, const byte* a, int n)
{
    int i;
    int j = 0;
    word32 s = 0;

    r[0] = 0;
    for (i = n-1; i >= 0; i--) {
        r[j] |= (((sp_digit)a[i]) << s);
        if (s >= 47U) {
            r[j] &= 0x7fffffffffffffL;
            s = 55U - s;
            if (j + 1 >= size) {
                break;
            }
            r[++j] = (sp_digit)a[i] >> s;
            s = 8U - s;
        }
        else {
            s += 8U;
        }
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
}

/* Generates a scalar that is in the range 1..order-1.
 *
 * rng  Random number generator.
 * k    Scalar value.
 * returns RNG failures, MEMORY_E when memory allocation fails and
 * MP_OKAY on success.
 */
static int sp_384_ecc_gen_k_7(WC_RNG* rng, sp_digit* k)
{
    int err;
    byte buf[48];

    do {
        err = wc_RNG_GenerateBlock(rng, buf, sizeof(buf));
        if (err == 0) {
            sp_384_from_bin(k, 7, buf, (int)sizeof(buf));
            if (sp_384_cmp_7(k, p384_order2) <= 0) {
                sp_384_add_one_7(k);
                break;
            }
        }
    }
    while (err == 0);

    return err;
}

/* Makes a random EC key pair.
 *
 * rng   Random number generator.
 * priv  Generated private value.
 * pub   Generated public point.
 * heap  Heap to use for allocation.
 * returns ECC_INF_E when the point does not have the correct order, RNG
 * failures, MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_make_key_384(WC_RNG* rng, mp_int* priv, ecc_point* pub, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_384* point = NULL;
    sp_digit* k = NULL;
#else
    #ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
    sp_point_384 point[2];
    #else
    sp_point_384 point[1];
    #endif
    sp_digit k[7];
#endif
#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
    sp_point_384* infinity = NULL;
#endif
    int err = MP_OKAY;


    (void)heap;

#ifdef WOLFSSL_SP_SMALL_STACK
    #ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
    point = (sp_point_384*)XMALLOC(sizeof(sp_point_384) * 2, heap, DYNAMIC_TYPE_ECC);
    #else
    point = (sp_point_384*)XMALLOC(sizeof(sp_point_384), heap, DYNAMIC_TYPE_ECC);
    #endif
    if (point == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7, heap,
                               DYNAMIC_TYPE_ECC);
        if (k == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
    #ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
        infinity = point + 1;
    #endif

        err = sp_384_ecc_gen_k_7(rng, k);
    }
    if (err == MP_OKAY) {
            err = sp_384_ecc_mulmod_base_7(point, k, 1, 1, NULL);
    }

#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
    if (err == MP_OKAY) {
            err = sp_384_ecc_mulmod_7(infinity, point, p384_order, 1, 1, NULL);
    }
    if (err == MP_OKAY) {
        if (sp_384_iszero_7(point->x) || sp_384_iszero_7(point->y)) {
            err = ECC_INF_E;
        }
    }
#endif

    if (err == MP_OKAY) {
        err = sp_384_to_mp(k, priv);
    }
    if (err == MP_OKAY) {
        err = sp_384_point_to_ecc_point_7(point, pub);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (k != NULL)
        XFREE(k, heap, DYNAMIC_TYPE_ECC);
    if (point != NULL) {
        /* point is not sensitive, so no need to zeroize */
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
    }
#endif

    return err;
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_ecc_key_gen_384_ctx {
    int state;
    sp_384_ecc_mulmod_7_ctx mulmod_ctx;
    sp_digit k[7];
#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
    sp_point_384  point[2];
#else
    sp_point_384 point[1];
#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN */
} sp_ecc_key_gen_384_ctx;

int sp_ecc_make_key_384_nb(sp_ecc_ctx_t* sp_ctx, WC_RNG* rng, mp_int* priv,
    ecc_point* pub, void* heap)
{
    int err = FP_WOULDBLOCK;
    sp_ecc_key_gen_384_ctx* ctx = (sp_ecc_key_gen_384_ctx*)sp_ctx->data;
#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
    sp_point_384* infinity = ctx->point + 1;
#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN */

    typedef char ctx_size_test[sizeof(sp_ecc_key_gen_384_ctx)
                               >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    switch (ctx->state) {
        case 0:
            err = sp_384_ecc_gen_k_7(rng, ctx->k);
            if (err == MP_OKAY) {
                err = FP_WOULDBLOCK;
                ctx->state = 1;
            }
            break;
        case 1:
            err = sp_384_ecc_mulmod_base_7_nb((sp_ecc_ctx_t*)&ctx->mulmod_ctx,
                      ctx->point, ctx->k, 1, 1, heap);
            if (err == MP_OKAY) {
                err = FP_WOULDBLOCK;
            #ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
                XMEMSET(&ctx->mulmod_ctx, 0, sizeof(ctx->mulmod_ctx));
                ctx->state = 2;
            #else
                ctx->state = 3;
            #endif
            }
            break;
    #ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
        case 2:
            err = sp_384_ecc_mulmod_7_nb((sp_ecc_ctx_t*)&ctx->mulmod_ctx,
                      infinity, ctx->point, p384_order, 1, 1);
            if (err == MP_OKAY) {
                if (sp_384_iszero_7(ctx->point->x) ||
                    sp_384_iszero_7(ctx->point->y)) {
                    err = ECC_INF_E;
                }
                else {
                    err = FP_WOULDBLOCK;
                    ctx->state = 3;
                }
            }
            break;
    #endif /* WOLFSSL_VALIDATE_ECC_KEYGEN */
        case 3:
            err = sp_384_to_mp(ctx->k, priv);
            if (err == MP_OKAY) {
                err = sp_384_point_to_ecc_point_7(ctx->point, pub);
            }
            break;
    }

    if (err != FP_WOULDBLOCK) {
        XMEMSET(ctx, 0, sizeof(sp_ecc_key_gen_384_ctx));
    }

    return err;
}
#endif /* WOLFSSL_SP_NONBLOCK */

#ifdef HAVE_ECC_DHE
/* Write r as big endian to byte array.
 * Fixed length number of bytes written: 48
 *
 * r  A single precision integer.
 * a  Byte array.
 */
static void sp_384_to_bin_7(sp_digit* r, byte* a)
{
    int i;
    int j;
    int s = 0;
    int b;

    for (i=0; i<6; i++) {
        r[i+1] += r[i] >> 55;
        r[i] &= 0x7fffffffffffffL;
    }
    j = 391 / 8 - 1;
    a[j] = 0;
    for (i=0; i<7 && j>=0; i++) {
        b = 0;
        /* lint allow cast of mismatch sp_digit and int */
        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
        b += 8 - s;
        if (j < 0) {
            break;
        }
        while (b < 55) {
            a[j--] = (byte)(r[i] >> b);
            b += 8;
            if (j < 0) {
                break;
            }
        }
        s = 8 - (b - 55);
        if (j >= 0) {
            a[j] = 0;
        }
        if (s != 0) {
            j++;
        }
    }
}

/* Multiply the point by the scalar and serialize the X ordinate.
 * The number is 0 padded to maximum size on output.
 *
 * priv    Scalar to multiply the point by.
 * pub     Point to multiply.
 * out     Buffer to hold X ordinate.
 * outLen  On entry, size of the buffer in bytes.
 *         On exit, length of data in buffer in bytes.
 * heap    Heap to use for allocation.
 * returns BUFFER_E if the buffer is to small for output size,
 * MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_secret_gen_384(const mp_int* priv, const ecc_point* pub, byte* out,
                          word32* outLen, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_384* point = NULL;
    sp_digit* k = NULL;
#else
    sp_point_384 point[1];
    sp_digit k[7];
#endif
    int err = MP_OKAY;

    if (*outLen < 48U) {
        err = BUFFER_E;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        point = (sp_point_384*)XMALLOC(sizeof(sp_point_384), heap,
                                         DYNAMIC_TYPE_ECC);
        if (point == NULL)
            err = MEMORY_E;
    }
    if (err == MP_OKAY) {
        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7, heap,
                               DYNAMIC_TYPE_ECC);
        if (k == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        sp_384_from_mp(k, 7, priv);
        sp_384_point_from_ecc_point_7(point, pub);
            err = sp_384_ecc_mulmod_7(point, point, k, 1, 1, heap);
    }
    if (err == MP_OKAY) {
        sp_384_to_bin_7(point->x, out);
        *outLen = 48;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (k != NULL)
        XFREE(k, heap, DYNAMIC_TYPE_ECC);
    if (point != NULL)
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_ecc_sec_gen_384_ctx {
    int state;
    union {
        sp_384_ecc_mulmod_7_ctx mulmod_ctx;
    };
    sp_digit k[7];
    sp_point_384 point;
} sp_ecc_sec_gen_384_ctx;

int sp_ecc_secret_gen_384_nb(sp_ecc_ctx_t* sp_ctx, const mp_int* priv,
    const ecc_point* pub, byte* out, word32* outLen, void* heap)
{
    int err = FP_WOULDBLOCK;
    sp_ecc_sec_gen_384_ctx* ctx = (sp_ecc_sec_gen_384_ctx*)sp_ctx->data;

    typedef char ctx_size_test[sizeof(sp_ecc_sec_gen_384_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    if (*outLen < 32U) {
        err = BUFFER_E;
    }

    switch (ctx->state) {
        case 0:
            sp_384_from_mp(ctx->k, 7, priv);
            sp_384_point_from_ecc_point_7(&ctx->point, pub);
            ctx->state = 1;
            break;
        case 1:
            err = sp_384_ecc_mulmod_7_nb((sp_ecc_ctx_t*)&ctx->mulmod_ctx,
                      &ctx->point, &ctx->point, ctx->k, 1, 1, heap);
            if (err == MP_OKAY) {
                sp_384_to_bin_7(ctx->point.x, out);
                *outLen = 48;
            }
            break;
    }

    if (err == MP_OKAY && ctx->state != 1) {
        err = FP_WOULDBLOCK;
    }
    if (err != FP_WOULDBLOCK) {
        XMEMSET(ctx, 0, sizeof(sp_ecc_sec_gen_384_ctx));
    }

    return err;
}
#endif /* WOLFSSL_SP_NONBLOCK */
#endif /* HAVE_ECC_DHE */

#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
#endif
#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
SP_NOINLINE static void sp_384_rshift_7(sp_digit* r, const sp_digit* a,
        byte n)
{
    int i;

#ifdef WOLFSSL_SP_SMALL
    for (i=0; i<6; i++) {
        r[i] = ((a[i] >> n) | (a[i + 1] << (55 - n))) & 0x7fffffffffffffL;
    }
#else
    for (i=0; i<0; i += 8) {
        r[i+0] = (a[i+0] >> n) | ((a[i+1] << (55 - n)) & 0x7fffffffffffffL);
        r[i+1] = (a[i+1] >> n) | ((a[i+2] << (55 - n)) & 0x7fffffffffffffL);
        r[i+2] = (a[i+2] >> n) | ((a[i+3] << (55 - n)) & 0x7fffffffffffffL);
        r[i+3] = (a[i+3] >> n) | ((a[i+4] << (55 - n)) & 0x7fffffffffffffL);
        r[i+4] = (a[i+4] >> n) | ((a[i+5] << (55 - n)) & 0x7fffffffffffffL);
        r[i+5] = (a[i+5] >> n) | ((a[i+6] << (55 - n)) & 0x7fffffffffffffL);
        r[i+6] = (a[i+6] >> n) | ((a[i+7] << (55 - n)) & 0x7fffffffffffffL);
        r[i+7] = (a[i+7] >> n) | ((a[i+8] << (55 - n)) & 0x7fffffffffffffL);
    }
    r[0] = (a[0] >> n) | ((a[1] << (55 - n)) & 0x7fffffffffffffL);
    r[1] = (a[1] >> n) | ((a[2] << (55 - n)) & 0x7fffffffffffffL);
    r[2] = (a[2] >> n) | ((a[3] << (55 - n)) & 0x7fffffffffffffL);
    r[3] = (a[3] >> n) | ((a[4] << (55 - n)) & 0x7fffffffffffffL);
    r[4] = (a[4] >> n) | ((a[5] << (55 - n)) & 0x7fffffffffffffL);
    r[5] = (a[5] >> n) | ((a[6] << (55 - n)) & 0x7fffffffffffffL);
#endif /* WOLFSSL_SP_SMALL */
    r[6] = a[6] >> n;
}

/* Multiply a by scalar b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_384_mul_d_7(sp_digit* r, const sp_digit* a,
    sp_digit b)
{
#ifdef WOLFSSL_SP_SMALL
    sp_int128 tb = b;
    sp_int128 t = 0;
    int i;

    for (i = 0; i < 7; i++) {
        t += tb * a[i];
        r[i] = (sp_digit)(t & 0x7fffffffffffffL);
        t >>= 55;
    }
    r[7] = (sp_digit)t;
#else
    sp_int128 tb = b;
    sp_int128 t[7];

    t[ 0] = tb * a[ 0];
    t[ 1] = tb * a[ 1];
    t[ 2] = tb * a[ 2];
    t[ 3] = tb * a[ 3];
    t[ 4] = tb * a[ 4];
    t[ 5] = tb * a[ 5];
    t[ 6] = tb * a[ 6];
    r[ 0] = (sp_digit)                 (t[ 0] & 0x7fffffffffffffL);
    r[ 1] = (sp_digit)((t[ 0] >> 55) + (t[ 1] & 0x7fffffffffffffL));
    r[ 2] = (sp_digit)((t[ 1] >> 55) + (t[ 2] & 0x7fffffffffffffL));
    r[ 3] = (sp_digit)((t[ 2] >> 55) + (t[ 3] & 0x7fffffffffffffL));
    r[ 4] = (sp_digit)((t[ 3] >> 55) + (t[ 4] & 0x7fffffffffffffL));
    r[ 5] = (sp_digit)((t[ 4] >> 55) + (t[ 5] & 0x7fffffffffffffL));
    r[ 6] = (sp_digit)((t[ 5] >> 55) + (t[ 6] & 0x7fffffffffffffL));
    r[ 7] = (sp_digit) (t[ 6] >> 55);
#endif /* WOLFSSL_SP_SMALL */
}

SP_NOINLINE static void sp_384_lshift_14(sp_digit* r, const sp_digit* a,
        byte n)
{
#ifdef WOLFSSL_SP_SMALL
    int i;

    r[14] = a[13] >> (55 - n);
    for (i=13; i>0; i--) {
        r[i] = ((a[i] << n) | (a[i-1] >> (55 - n))) & 0x7fffffffffffffL;
    }
#else
    sp_int_digit s;
    sp_int_digit t;

    s = (sp_int_digit)a[13];
    r[14] = s >> (55U - n);
    s = (sp_int_digit)(a[13]); t = (sp_int_digit)(a[12]);
    r[13] = ((s << n) | (t >> (55U - n))) & 0x7fffffffffffffUL;
    s = (sp_int_digit)(a[12]); t = (sp_int_digit)(a[11]);
    r[12] = ((s << n) | (t >> (55U - n))) & 0x7fffffffffffffUL;
    s = (sp_int_digit)(a[11]); t = (sp_int_digit)(a[10]);
    r[11] = ((s << n) | (t >> (55U - n))) & 0x7fffffffffffffUL;
    s = (sp_int_digit)(a[10]); t = (sp_int_digit)(a[9]);
    r[10] = ((s << n) | (t >> (55U - n))) & 0x7fffffffffffffUL;
    s = (sp_int_digit)(a[9]); t = (sp_int_digit)(a[8]);
    r[9] = ((s << n) | (t >> (55U - n))) & 0x7fffffffffffffUL;
    s = (sp_int_digit)(a[8]); t = (sp_int_digit)(a[7]);
    r[8] = ((s << n) | (t >> (55U - n))) & 0x7fffffffffffffUL;
    s = (sp_int_digit)(a[7]); t = (sp_int_digit)(a[6]);
    r[7] = ((s << n) | (t >> (55U - n))) & 0x7fffffffffffffUL;
    s = (sp_int_digit)(a[6]); t = (sp_int_digit)(a[5]);
    r[6] = ((s << n) | (t >> (55U - n))) & 0x7fffffffffffffUL;
    s = (sp_int_digit)(a[5]); t = (sp_int_digit)(a[4]);
    r[5] = ((s << n) | (t >> (55U - n))) & 0x7fffffffffffffUL;
    s = (sp_int_digit)(a[4]); t = (sp_int_digit)(a[3]);
    r[4] = ((s << n) | (t >> (55U - n))) & 0x7fffffffffffffUL;
    s = (sp_int_digit)(a[3]); t = (sp_int_digit)(a[2]);
    r[3] = ((s << n) | (t >> (55U - n))) & 0x7fffffffffffffUL;
    s = (sp_int_digit)(a[2]); t = (sp_int_digit)(a[1]);
    r[2] = ((s << n) | (t >> (55U - n))) & 0x7fffffffffffffUL;
    s = (sp_int_digit)(a[1]); t = (sp_int_digit)(a[0]);
    r[1] = ((s << n) | (t >> (55U - n))) & 0x7fffffffffffffUL;
#endif /* WOLFSSL_SP_SMALL */
    r[0] = (a[0] << n) & 0x7fffffffffffffL;
}

/* Divide d in a and put remainder into r (m*d + r = a)
 * m is not calculated as it is not needed at this time.
 *
 * Simplified based on top word of divisor being (1 << 55) - 1
 *
 * a  Number to be divided.
 * d  Number to divide with.
 * m  Multiplier result.
 * r  Remainder from the division.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_384_div_7(const sp_digit* a, const sp_digit* d,
        const sp_digit* m, sp_digit* r)
{
    int i;
    sp_digit r1;
    sp_digit mask;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* t1 = NULL;
#else
    sp_digit t1[4 * 7 + 3];
#endif
    sp_digit* t2 = NULL;
    sp_digit* sd = NULL;
    int err = MP_OKAY;

    (void)m;

#ifdef WOLFSSL_SP_SMALL_STACK
    t1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * (4 * 7 + 3), NULL,
                                                       DYNAMIC_TYPE_TMP_BUFFER);
    if (t1 == NULL)
        err = MEMORY_E;
#endif

    (void)m;

    if (err == MP_OKAY) {
        t2 = t1 + 14 + 1;
        sd = t2 + 7 + 1;

        sp_384_mul_d_7(sd, d, (sp_digit)1 << 1);
        sp_384_lshift_14(t1, a, 1);
        t1[7 + 7] += t1[7 + 7 - 1] >> 55;
        t1[7 + 7 - 1] &= 0x7fffffffffffffL;
        for (i=6; i>=0; i--) {
            r1 = t1[7 + i];
            sp_384_mul_d_7(t2, sd, r1);
            (void)sp_384_sub_7(&t1[i], &t1[i], t2);
            t1[7 + i] -= t2[7];
            sp_384_norm_7(&t1[i + 1]);

            mask = ~((t1[7 + i] - 1) >> 63);
            sp_384_cond_sub_7(t1 + i, t1 + i, sd, mask);
            sp_384_norm_7(&t1[i + 1]);
        }
        sp_384_norm_7(t1);
        sp_384_rshift_7(r, t1, 1);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t1 != NULL)
        XFREE(t1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
}

/* Reduce a modulo m into r. (r = a mod m)
 *
 * r  A single precision number that is the reduced result.
 * a  A single precision number that is to be reduced.
 * m  A single precision number that is the modulus to reduce with.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_384_mod_7(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    return sp_384_div_7(a, m, NULL, r);
}

#endif
#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
/* Multiply two number mod the order of P384 curve. (r = a * b mod order)
 *
 * r  Result of the multiplication.
 * a  First operand of the multiplication.
 * b  Second operand of the multiplication.
 */
static void sp_384_mont_mul_order_7(sp_digit* r, const sp_digit* a, const sp_digit* b)
{
    sp_384_mul_7(r, a, b);
    sp_384_mont_reduce_order_7(r, p384_order, p384_mp_order);
}

#if defined(HAVE_ECC_SIGN) || (defined(HAVE_ECC_VERIFY) && defined(WOLFSSL_SP_SMALL))
#ifdef WOLFSSL_SP_SMALL
/* Order-2 for the P384 curve. */
static const uint64_t p384_order_minus_2[6] = {
    0xecec196accc52971U,0x581a0db248b0a77aU,0xc7634d81f4372ddfU,
    0xffffffffffffffffU,0xffffffffffffffffU,0xffffffffffffffffU
};
#else
/* The low half of the order-2 of the P384 curve. */
static const uint64_t p384_order_low[3] = {
    0xecec196accc52971U,0x581a0db248b0a77aU,0xc7634d81f4372ddfU
};
#endif /* WOLFSSL_SP_SMALL */

/* Square number mod the order of P384 curve. (r = a * a mod order)
 *
 * r  Result of the squaring.
 * a  Number to square.
 */
static void sp_384_mont_sqr_order_7(sp_digit* r, const sp_digit* a)
{
    sp_384_sqr_7(r, a);
    sp_384_mont_reduce_order_7(r, p384_order, p384_mp_order);
}

#ifndef WOLFSSL_SP_SMALL
/* Square number mod the order of P384 curve a number of times.
 * (r = a ^ n mod order)
 *
 * r  Result of the squaring.
 * a  Number to square.
 */
static void sp_384_mont_sqr_n_order_7(sp_digit* r, const sp_digit* a, int n)
{
    int i;

    sp_384_mont_sqr_order_7(r, a);
    for (i=1; i<n; i++) {
        sp_384_mont_sqr_order_7(r, r);
    }
}
#endif /* !WOLFSSL_SP_SMALL */

/* Invert the number, in Montgomery form, modulo the order of the P384 curve.
 * (r = 1 / a mod order)
 *
 * r   Inverse result.
 * a   Number to invert.
 * td  Temporary data.
 */

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_384_mont_inv_order_7_ctx {
    int state;
    int i;
} sp_384_mont_inv_order_7_ctx;
static int sp_384_mont_inv_order_7_nb(sp_ecc_ctx_t* sp_ctx, sp_digit* r, const sp_digit* a,
        sp_digit* t)
{
    int err = FP_WOULDBLOCK;
    sp_384_mont_inv_order_7_ctx* ctx = (sp_384_mont_inv_order_7_ctx*)sp_ctx;

    typedef char ctx_size_test[sizeof(sp_384_mont_inv_order_7_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    switch (ctx->state) {
    case 0:
        XMEMCPY(t, a, sizeof(sp_digit) * 7);
        ctx->i = 382;
        ctx->state = 1;
        break;
    case 1:
        sp_384_mont_sqr_order_7(t, t);
        ctx->state = 2;
        break;
    case 2:
        if ((p384_order_minus_2[ctx->i / 64] & ((sp_int_digit)1 << (ctx->i % 64))) != 0) {
            sp_384_mont_mul_order_7(t, t, a);
        }
        ctx->i--;
        ctx->state = (ctx->i == 0) ? 3 : 1;
        break;
    case 3:
        XMEMCPY(r, t, sizeof(sp_digit) * 7U);
        err = MP_OKAY;
        break;
    }
    return err;
}
#endif /* WOLFSSL_SP_NONBLOCK */

static void sp_384_mont_inv_order_7(sp_digit* r, const sp_digit* a,
        sp_digit* td)
{
#ifdef WOLFSSL_SP_SMALL
    sp_digit* t = td;
    int i;

    XMEMCPY(t, a, sizeof(sp_digit) * 7);
    for (i=382; i>=0; i--) {
        sp_384_mont_sqr_order_7(t, t);
        if ((p384_order_minus_2[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
            sp_384_mont_mul_order_7(t, t, a);
        }
    }
    XMEMCPY(r, t, sizeof(sp_digit) * 7U);
#else
    sp_digit* t = td;
    sp_digit* t2 = td + 2 * 7;
    sp_digit* t3 = td + 4 * 7;
    int i;

    /* t = a^2 */
    sp_384_mont_sqr_order_7(t, a);
    /* t = a^3 = t * a */
    sp_384_mont_mul_order_7(t, t, a);
    /* t2= a^c = t ^ 2 ^ 2 */
    sp_384_mont_sqr_n_order_7(t2, t, 2);
    /* t = a^f = t2 * t */
    sp_384_mont_mul_order_7(t, t2, t);
    /* t2= a^f0 = t ^ 2 ^ 4 */
    sp_384_mont_sqr_n_order_7(t2, t, 4);
    /* t = a^ff = t2 * t */
    sp_384_mont_mul_order_7(t, t2, t);
    /* t2= a^ff00 = t ^ 2 ^ 8 */
    sp_384_mont_sqr_n_order_7(t2, t, 8);
    /* t3= a^ffff = t2 * t */
    sp_384_mont_mul_order_7(t3, t2, t);
    /* t2= a^ffff0000 = t3 ^ 2 ^ 16 */
    sp_384_mont_sqr_n_order_7(t2, t3, 16);
    /* t = a^ffffffff = t2 * t3 */
    sp_384_mont_mul_order_7(t, t2, t3);
    /* t2= a^ffffffff0000 = t ^ 2 ^ 16  */
    sp_384_mont_sqr_n_order_7(t2, t, 16);
    /* t = a^ffffffffffff = t2 * t3 */
    sp_384_mont_mul_order_7(t, t2, t3);
    /* t2= a^ffffffffffff000000000000 = t ^ 2 ^ 48  */
    sp_384_mont_sqr_n_order_7(t2, t, 48);
    /* t= a^fffffffffffffffffffffffff = t2 * t */
    sp_384_mont_mul_order_7(t, t2, t);
    /* t2= a^ffffffffffffffffffffffff000000000000000000000000 */
    sp_384_mont_sqr_n_order_7(t2, t, 96);
    /* t2= a^ffffffffffffffffffffffffffffffffffffffffffffffff = t2 * t */
    sp_384_mont_mul_order_7(t2, t2, t);
    for (i=191; i>=1; i--) {
        sp_384_mont_sqr_order_7(t2, t2);
        if ((p384_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
            sp_384_mont_mul_order_7(t2, t2, a);
        }
    }
    sp_384_mont_sqr_order_7(t2, t2);
    sp_384_mont_mul_order_7(r, t2, a);
#endif /* WOLFSSL_SP_SMALL */
}

#endif /* HAVE_ECC_SIGN || (HAVE_ECC_VERIFY && WOLFSSL_SP_SMALL) */
#endif /* HAVE_ECC_SIGN | HAVE_ECC_VERIFY */
#ifdef HAVE_ECC_SIGN
#ifndef SP_ECC_MAX_SIG_GEN
#define SP_ECC_MAX_SIG_GEN  64
#endif

/* Calculate second signature value S from R, k and private value.
 *
 * s = (r * x + e) / k
 *
 * s    Signature value.
 * r    First signature value.
 * k    Ephemeral private key.
 * x    Private key as a number.
 * e    Hash of message as a number.
 * tmp  Temporary storage for intermediate numbers.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_384_calc_s_7(sp_digit* s, const sp_digit* r, sp_digit* k,
    sp_digit* x, const sp_digit* e, sp_digit* tmp)
{
    int err;
    sp_digit carry;
    sp_int64 c;
    sp_digit* kInv = k;

    /* Conv k to Montgomery form (mod order) */
        sp_384_mul_7(k, k, p384_norm_order);
    err = sp_384_mod_7(k, k, p384_order);
    if (err == MP_OKAY) {
        sp_384_norm_7(k);

        /* kInv = 1/k mod order */
            sp_384_mont_inv_order_7(kInv, k, tmp);
        sp_384_norm_7(kInv);

        /* s = r * x + e */
            sp_384_mul_7(x, x, r);
        err = sp_384_mod_7(x, x, p384_order);
    }
    if (err == MP_OKAY) {
        sp_384_norm_7(x);
        carry = sp_384_add_7(s, e, x);
        sp_384_cond_sub_7(s, s, p384_order, 0 - carry);
        sp_384_norm_7(s);
        c = sp_384_cmp_7(s, p384_order);
        sp_384_cond_sub_7(s, s, p384_order,
            (sp_digit)0 - (sp_digit)(c >= 0));
        sp_384_norm_7(s);

        /* s = s * k^-1 mod order */
            sp_384_mont_mul_order_7(s, s, kInv);
        sp_384_norm_7(s);
    }

    return err;
}

/* Sign the hash using the private key.
 *   e = [hash, 384 bits] from binary
 *   r = (k.G)->x mod order
 *   s = (r * x + e) / k mod order
 * The hash is truncated to the first 384 bits.
 *
 * hash     Hash to sign.
 * hashLen  Length of the hash data.
 * rng      Random number generator.
 * priv     Private part of key - scalar.
 * rm       First part of result as an mp_int.
 * sm       Sirst part of result as an mp_int.
 * heap     Heap to use for allocation.
 * returns RNG failures, MEMORY_E when memory allocation fails and
 * MP_OKAY on success.
 */
int sp_ecc_sign_384(const byte* hash, word32 hashLen, WC_RNG* rng,
    const mp_int* priv, mp_int* rm, mp_int* sm, mp_int* km, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* e = NULL;
    sp_point_384* point = NULL;
#else
    sp_digit e[7 * 2 * 7];
    sp_point_384 point[1];
#endif
    sp_digit* x = NULL;
    sp_digit* k = NULL;
    sp_digit* r = NULL;
    sp_digit* tmp = NULL;
    sp_digit* s = NULL;
    sp_int64 c;
    int err = MP_OKAY;
    int i;

    (void)heap;

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        point = (sp_point_384*)XMALLOC(sizeof(sp_point_384), heap,
                                             DYNAMIC_TYPE_ECC);
        if (point == NULL)
            err = MEMORY_E;
    }
    if (err == MP_OKAY) {
        e = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7 * 2 * 7, heap,
                               DYNAMIC_TYPE_ECC);
        if (e == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        x = e + 2 * 7;
        k = e + 4 * 7;
        r = e + 6 * 7;
        tmp = e + 8 * 7;
        s = e;

        if (hashLen > 48U) {
            hashLen = 48U;
        }
    }

    for (i = SP_ECC_MAX_SIG_GEN; err == MP_OKAY && i > 0; i--) {
        /* New random point. */
        if (km == NULL || mp_iszero(km)) {
            err = sp_384_ecc_gen_k_7(rng, k);
        }
        else {
            sp_384_from_mp(k, 7, km);
            mp_zero(km);
        }
        if (err == MP_OKAY) {
                err = sp_384_ecc_mulmod_base_7(point, k, 1, 1, heap);
        }

        if (err == MP_OKAY) {
            /* r = point->x mod order */
            XMEMCPY(r, point->x, sizeof(sp_digit) * 7U);
            sp_384_norm_7(r);
            c = sp_384_cmp_7(r, p384_order);
            sp_384_cond_sub_7(r, r, p384_order,
                (sp_digit)0 - (sp_digit)(c >= 0));
            sp_384_norm_7(r);

            if (!sp_384_iszero_7(r)) {
                /* x is modified in calculation of s. */
                sp_384_from_mp(x, 7, priv);
                /* s ptr == e ptr, e is modified in calculation of s. */
                sp_384_from_bin(e, 7, hash, (int)hashLen);

                err = sp_384_calc_s_7(s, r, k, x, e, tmp);

                /* Check that signature is usable. */
                if ((err == MP_OKAY) && (!sp_384_iszero_7(s))) {
                    break;
                }
            }
        }
#ifdef WOLFSSL_ECDSA_SET_K_ONE_LOOP
        i = 1;
#endif
    }

    if (i == 0) {
        err = RNG_FAILURE_E;
    }

    if (err == MP_OKAY) {
        err = sp_384_to_mp(r, rm);
    }
    if (err == MP_OKAY) {
        err = sp_384_to_mp(s, sm);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (e != NULL)
#endif
    {
        ForceZero(e, sizeof(sp_digit) * 7 * 2 * 7);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(e, heap, DYNAMIC_TYPE_ECC);
    #endif
    }
#ifdef WOLFSSL_SP_SMALL_STACK
    if (point != NULL)
#endif
    {
        ForceZero(point, sizeof(sp_point_384));
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
    #endif
    }

    return err;
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_ecc_sign_384_ctx {
    int state;
    union {
        sp_384_ecc_mulmod_7_ctx mulmod_ctx;
        sp_384_mont_inv_order_7_ctx mont_inv_order_ctx;
    };
    sp_digit e[2*7];
    sp_digit x[2*7];
    sp_digit k[2*7];
    sp_digit r[2*7];
    sp_digit tmp[3 * 2*7];
    sp_point_384 point;
    sp_digit* s;
    sp_digit* kInv;
    int i;
} sp_ecc_sign_384_ctx;

int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, WC_RNG* rng,
    mp_int* priv, mp_int* rm, mp_int* sm, mp_int* km, void* heap)
{
    int err = FP_WOULDBLOCK;
    sp_ecc_sign_384_ctx* ctx = (sp_ecc_sign_384_ctx*)sp_ctx->data;

    typedef char ctx_size_test[sizeof(sp_ecc_sign_384_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    switch (ctx->state) {
    case 0: /* INIT */
        ctx->s = ctx->e;
        ctx->kInv = ctx->k;

        ctx->i = SP_ECC_MAX_SIG_GEN;
        ctx->state = 1;
        break;
    case 1: /* GEN */
        /* New random point. */
        if (km == NULL || mp_iszero(km)) {
            err = sp_384_ecc_gen_k_7(rng, ctx->k);
        }
        else {
            sp_384_from_mp(ctx->k, 7, km);
            mp_zero(km);
        }
        XMEMSET(&ctx->mulmod_ctx, 0, sizeof(ctx->mulmod_ctx));
        ctx->state = 2;
        break;
    case 2: /* MULMOD */
        err = sp_384_ecc_mulmod_7_nb((sp_ecc_ctx_t*)&ctx->mulmod_ctx,
            &ctx->point, &p384_base, ctx->k, 1, 1, heap);
        if (err == MP_OKAY) {
            ctx->state = 3;
        }
        break;
    case 3: /* MODORDER */
    {
        sp_int64 c;
        /* r = point->x mod order */
        XMEMCPY(ctx->r, ctx->point.x, sizeof(sp_digit) * 7U);
        sp_384_norm_7(ctx->r);
        c = sp_384_cmp_7(ctx->r, p384_order);
        sp_384_cond_sub_7(ctx->r, ctx->r, p384_order,
            (sp_digit)0 - (sp_digit)(c >= 0));
        sp_384_norm_7(ctx->r);

        if (hashLen > 48U) {
            hashLen = 48U;
        }
        sp_384_from_mp(ctx->x, 7, priv);
        sp_384_from_bin(ctx->e, 7, hash, (int)hashLen);
        ctx->state = 4;
        break;
    }
    case 4: /* KMODORDER */
        /* Conv k to Montgomery form (mod order) */
        sp_384_mul_7(ctx->k, ctx->k, p384_norm_order);
        err = sp_384_mod_7(ctx->k, ctx->k, p384_order);
        if (err == MP_OKAY) {
            sp_384_norm_7(ctx->k);
            XMEMSET(&ctx->mont_inv_order_ctx, 0, sizeof(ctx->mont_inv_order_ctx));
            ctx->state = 5;
        }
        break;
    case 5: /* KINV */
        /* kInv = 1/k mod order */
        err = sp_384_mont_inv_order_7_nb((sp_ecc_ctx_t*)&ctx->mont_inv_order_ctx, ctx->kInv, ctx->k, ctx->tmp);
        if (err == MP_OKAY) {
            XMEMSET(&ctx->mont_inv_order_ctx, 0, sizeof(ctx->mont_inv_order_ctx));
            ctx->state = 6;
        }
        break;
    case 6: /* KINVNORM */
        sp_384_norm_7(ctx->kInv);
        ctx->state = 7;
        break;
    case 7: /* R */
        /* s = r * x + e */
        sp_384_mul_7(ctx->x, ctx->x, ctx->r);
        ctx->state = 8;
        break;
    case 8: /* S1 */
        err = sp_384_mod_7(ctx->x, ctx->x, p384_order);
        if (err == MP_OKAY)
            ctx->state = 9;
        break;
    case 9: /* S2 */
    {
        sp_digit carry;
        sp_int64 c;
        sp_384_norm_7(ctx->x);
        carry = sp_384_add_7(ctx->s, ctx->e, ctx->x);
        sp_384_cond_sub_7(ctx->s, ctx->s,
            p384_order, 0 - carry);
        sp_384_norm_7(ctx->s);
        c = sp_384_cmp_7(ctx->s, p384_order);
        sp_384_cond_sub_7(ctx->s, ctx->s, p384_order,
            (sp_digit)0 - (sp_digit)(c >= 0));
        sp_384_norm_7(ctx->s);

        /* s = s * k^-1 mod order */
        sp_384_mont_mul_order_7(ctx->s, ctx->s, ctx->kInv);
        sp_384_norm_7(ctx->s);

        /* Check that signature is usable. */
        if (sp_384_iszero_7(ctx->s) == 0) {
            ctx->state = 10;
            break;
        }
    #ifdef WOLFSSL_ECDSA_SET_K_ONE_LOOP
        ctx->i = 1;
    #endif

        /* not usable gen, try again */
        ctx->i--;
        if (ctx->i == 0) {
            err = RNG_FAILURE_E;
        }
        ctx->state = 1;
        break;
    }
    case 10: /* RES */
        err = sp_384_to_mp(ctx->r, rm);
        if (err == MP_OKAY) {
            err = sp_384_to_mp(ctx->s, sm);
        }
        break;
    }

    if (err == MP_OKAY && ctx->state != 10) {
        err = FP_WOULDBLOCK;
    }
    if (err != FP_WOULDBLOCK) {
        XMEMSET(ctx->e, 0, sizeof(sp_digit) * 2U * 7U);
        XMEMSET(ctx->x, 0, sizeof(sp_digit) * 2U * 7U);
        XMEMSET(ctx->k, 0, sizeof(sp_digit) * 2U * 7U);
        XMEMSET(ctx->r, 0, sizeof(sp_digit) * 2U * 7U);
        XMEMSET(ctx->tmp, 0, sizeof(sp_digit) * 3U * 2U * 7U);
    }

    return err;
}
#endif /* WOLFSSL_SP_NONBLOCK */
#endif /* HAVE_ECC_SIGN */

#ifndef WOLFSSL_SP_SMALL
static const char sp_384_tab64_7[64] = {
    64,  1, 59,  2, 60, 48, 54,  3,
    61, 40, 49, 28, 55, 34, 43,  4,
    62, 52, 38, 41, 50, 19, 29, 21,
    56, 31, 35, 12, 44, 15, 23,  5,
    63, 58, 47, 53, 39, 27, 33, 42,
    51, 37, 18, 20, 30, 11, 14, 22,
    57, 46, 26, 32, 36, 17, 10, 13,
    45, 25, 16,  9, 24,  8,  7,  6};

static int sp_384_num_bits_55_7(sp_digit v)
{
    v |= v >> 1;
    v |= v >> 2;
    v |= v >> 4;
    v |= v >> 8;
    v |= v >> 16;
    v |= v >> 32;
    return sp_384_tab64_7[((uint64_t)((v - (v >> 1))*0x07EDD5E59A4E28C2)) >> 58];
}

static int sp_384_num_bits_7(const sp_digit* a)
{
    int i;
    int r = 0;

    for (i = 6; i >= 0; i--) {
        if (a[i] != 0) {
            r = sp_384_num_bits_55_7(a[i]);
            r += i * 55;
            break;
        }
    }

    return r;
}

/* Non-constant time modular inversion.
 *
 * @param  [out]  r   Resulting number.
 * @param  [in]   a   Number to invert.
 * @param  [in]   m   Modulus.
 * @return  MP_OKAY on success.
 * @return  MEMEORY_E when dynamic memory allocation fails.
 */
static int sp_384_mod_inv_7(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    int err = MP_OKAY;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* u = NULL;
#else
    sp_digit u[7 * 4];
#endif
    sp_digit* v = NULL;
    sp_digit* b = NULL;
    sp_digit* d = NULL;
    int ut;
    int vt;

#ifdef WOLFSSL_SP_SMALL_STACK
    u = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7 * 4, NULL,
                                                              DYNAMIC_TYPE_ECC);
    if (u == NULL)
        err = MEMORY_E;
#endif

    if (err == MP_OKAY) {
        v = u + 7;
        b = u + 2 * 7;
        d = u + 3 * 7;

        XMEMCPY(u, m, sizeof(sp_digit) * 7);
        XMEMCPY(v, a, sizeof(sp_digit) * 7);

        ut = sp_384_num_bits_7(u);
        vt = sp_384_num_bits_7(v);

        XMEMSET(b, 0, sizeof(sp_digit) * 7);
        if ((v[0] & 1) == 0) {
            sp_384_rshift1_7(v, v);
            XMEMCPY(d, m, sizeof(sp_digit) * 7);
            d[0]++;
            sp_384_rshift1_7(d, d);
            vt--;

            while ((v[0] & 1) == 0) {
                sp_384_rshift1_7(v, v);
                if (d[0] & 1)
                    sp_384_add_7(d, d, m);
                sp_384_rshift1_7(d, d);
                vt--;
            }
        }
        else {
            XMEMSET(d+1, 0, sizeof(sp_digit) * (7 - 1));
            d[0] = 1;
        }

        while (ut > 1 && vt > 1) {
            if ((ut > vt) || ((ut == vt) &&
                    (sp_384_cmp_7(u, v) >= 0))) {
                sp_384_sub_7(u, u, v);
                sp_384_norm_7(u);

                sp_384_sub_7(b, b, d);
                sp_384_norm_7(b);
                if (b[6] < 0)
                    sp_384_add_7(b, b, m);
                sp_384_norm_7(b);
                ut = sp_384_num_bits_7(u);

                do {
                    sp_384_rshift1_7(u, u);
                    if (b[0] & 1)
                        sp_384_add_7(b, b, m);
                    sp_384_rshift1_7(b, b);
                    ut--;
                }
                while (ut > 0 && (u[0] & 1) == 0);
            }
            else {
                sp_384_sub_7(v, v, u);
                sp_384_norm_7(v);

                sp_384_sub_7(d, d, b);
                sp_384_norm_7(d);
                if (d[6] < 0)
                    sp_384_add_7(d, d, m);
                sp_384_norm_7(d);
                vt = sp_384_num_bits_7(v);

                do {
                    sp_384_rshift1_7(v, v);
                    if (d[0] & 1)
                        sp_384_add_7(d, d, m);
                    sp_384_rshift1_7(d, d);
                    vt--;
                }
                while (vt > 0 && (v[0] & 1) == 0);
            }
        }

        if (ut == 1)
            XMEMCPY(r, b, sizeof(sp_digit) * 7);
        else
            XMEMCPY(r, d, sizeof(sp_digit) * 7);
    }
#ifdef WOLFSSL_SP_SMALL_STACK
    if (u != NULL)
        XFREE(u, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#endif /* WOLFSSL_SP_SMALL */

/* Add point p1 into point p2. Handles p1 == p2 and result at infinity.
 *
 * p1   First point to add and holds result.
 * p2   Second point to add.
 * tmp  Temporary storage for intermediate numbers.
 */
static void sp_384_add_points_7(sp_point_384* p1, const sp_point_384* p2,
    sp_digit* tmp)
{

        sp_384_proj_point_add_7(p1, p1, p2, tmp);
    if (sp_384_iszero_7(p1->z)) {
        if (sp_384_iszero_7(p1->x) && sp_384_iszero_7(p1->y)) {
                sp_384_proj_point_dbl_7(p1, p2, tmp);
        }
        else {
            /* Y ordinate is not used from here - don't set. */
            p1->x[0] = 0;
            p1->x[1] = 0;
            p1->x[2] = 0;
            p1->x[3] = 0;
            p1->x[4] = 0;
            p1->x[5] = 0;
            p1->x[6] = 0;
            XMEMCPY(p1->z, p384_norm_mod, sizeof(p384_norm_mod));
        }
    }
}

/* Calculate the verification point: [e/s]G + [r/s]Q
 *
 * p1    Calculated point.
 * p2    Public point and temporary.
 * s     Second part of signature as a number.
 * u1    Temporary number.
 * u2    Temporary number.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_384_calc_vfy_point_7(sp_point_384* p1, sp_point_384* p2,
    sp_digit* s, sp_digit* u1, sp_digit* u2, sp_digit* tmp, void* heap)
{
    int err;

#ifndef WOLFSSL_SP_SMALL
    err = sp_384_mod_inv_7(s, s, p384_order);
    if (err == MP_OKAY)
#endif /* !WOLFSSL_SP_SMALL */
    {
        sp_384_mul_7(s, s, p384_norm_order);
        err = sp_384_mod_7(s, s, p384_order);
    }
    if (err == MP_OKAY) {
        sp_384_norm_7(s);
#ifdef WOLFSSL_SP_SMALL
        {
            sp_384_mont_inv_order_7(s, s, tmp);
            sp_384_mont_mul_order_7(u1, u1, s);
            sp_384_mont_mul_order_7(u2, u2, s);
        }
#else
        {
            sp_384_mont_mul_order_7(u1, u1, s);
            sp_384_mont_mul_order_7(u2, u2, s);
        }
#endif /* WOLFSSL_SP_SMALL */
        {
            err = sp_384_ecc_mulmod_base_7(p1, u1, 0, 0, heap);
        }
    }
    if ((err == MP_OKAY) && sp_384_iszero_7(p1->z)) {
        p1->infinity = 1;
    }
    if (err == MP_OKAY) {
            err = sp_384_ecc_mulmod_7(p2, p2, u2, 0, 0, heap);
    }
    if ((err == MP_OKAY) && sp_384_iszero_7(p2->z)) {
        p2->infinity = 1;
    }

    if (err == MP_OKAY) {
        sp_384_add_points_7(p1, p2, tmp);
    }

    return err;
}

#ifdef HAVE_ECC_VERIFY
/* Verify the signature values with the hash and public key.
 *   e = Truncate(hash, 384)
 *   u1 = e/s mod order
 *   u2 = r/s mod order
 *   r == (u1.G + u2.Q)->x mod order
 * Optimization: Leave point in projective form.
 *   (x, y, 1) == (x' / z'*z', y' / z'*z'*z', z' / z')
 *   (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x'
 * The hash is truncated to the first 384 bits.
 *
 * hash     Hash to sign.
 * hashLen  Length of the hash data.
 * rng      Random number generator.
 * priv     Private part of key - scalar.
 * rm       First part of result as an mp_int.
 * sm       Sirst part of result as an mp_int.
 * heap     Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX,
    const mp_int* pY, const mp_int* pZ, const mp_int* rm, const mp_int* sm,
    int* res, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* u1 = NULL;
    sp_point_384* p1 = NULL;
#else
    sp_digit  u1[18 * 7];
    sp_point_384 p1[2];
#endif
    sp_digit* u2 = NULL;
    sp_digit* s = NULL;
    sp_digit* tmp = NULL;
    sp_point_384* p2 = NULL;
    sp_digit carry;
    sp_int64 c = 0;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        p1 = (sp_point_384*)XMALLOC(sizeof(sp_point_384) * 2, heap,
                                             DYNAMIC_TYPE_ECC);
        if (p1 == NULL)
            err = MEMORY_E;
    }
    if (err == MP_OKAY) {
        u1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * 18 * 7, heap,
                                                              DYNAMIC_TYPE_ECC);
        if (u1 == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        u2  = u1 + 2 * 7;
        s   = u1 + 4 * 7;
        tmp = u1 + 6 * 7;
        p2 = p1 + 1;

        if (hashLen > 48U) {
            hashLen = 48U;
        }

        sp_384_from_bin(u1, 7, hash, (int)hashLen);
        sp_384_from_mp(u2, 7, rm);
        sp_384_from_mp(s, 7, sm);
        sp_384_from_mp(p2->x, 7, pX);
        sp_384_from_mp(p2->y, 7, pY);
        sp_384_from_mp(p2->z, 7, pZ);

        err = sp_384_calc_vfy_point_7(p1, p2, s, u1, u2, tmp, heap);
    }
    if (err == MP_OKAY) {
        /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
        /* Reload r and convert to Montgomery form. */
        sp_384_from_mp(u2, 7, rm);
        err = sp_384_mod_mul_norm_7(u2, u2, p384_mod);
    }

    if (err == MP_OKAY) {
        /* u1 = r.z'.z' mod prime */
            sp_384_mont_sqr_7(p1->z, p1->z, p384_mod, p384_mp_mod);
            sp_384_mont_mul_7(u1, u2, p1->z, p384_mod, p384_mp_mod);
        *res = (int)(sp_384_cmp_7(p1->x, u1) == 0);
        if (*res == 0) {
            /* Reload r and add order. */
            sp_384_from_mp(u2, 7, rm);
            carry = sp_384_add_7(u2, u2, p384_order);
            /* Carry means result is greater than mod and is not valid. */
            if (carry == 0) {
                sp_384_norm_7(u2);

                /* Compare with mod and if greater or equal then not valid. */
                c = sp_384_cmp_7(u2, p384_mod);
            }
        }
        if ((*res == 0) && (c < 0)) {
            /* Convert to Montogomery form */
            err = sp_384_mod_mul_norm_7(u2, u2, p384_mod);
            if (err == MP_OKAY) {
                /* u1 = (r + 1*order).z'.z' mod prime */
                {
                    sp_384_mont_mul_7(u1, u2, p1->z, p384_mod, p384_mp_mod);
                }
                *res = (sp_384_cmp_7(p1->x, u1) == 0);
            }
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (u1 != NULL)
        XFREE(u1, heap, DYNAMIC_TYPE_ECC);
    if (p1 != NULL)
        XFREE(p1, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_ecc_verify_384_ctx {
    int state;
    union {
        sp_384_ecc_mulmod_7_ctx mulmod_ctx;
        sp_384_mont_inv_order_7_ctx mont_inv_order_ctx;
        sp_384_proj_point_dbl_7_ctx dbl_ctx;
        sp_384_proj_point_add_7_ctx add_ctx;
    };
    sp_digit u1[2*7];
    sp_digit u2[2*7];
    sp_digit s[2*7];
    sp_digit tmp[2*7 * 6];
    sp_point_384 p1;
    sp_point_384 p2;
} sp_ecc_verify_384_ctx;

int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash,
    word32 hashLen, const mp_int* pX, const mp_int* pY, const mp_int* pZ,
    const mp_int* rm, const mp_int* sm, int* res, void* heap)
{
    int err = FP_WOULDBLOCK;
    sp_ecc_verify_384_ctx* ctx = (sp_ecc_verify_384_ctx*)sp_ctx->data;

    typedef char ctx_size_test[sizeof(sp_ecc_verify_384_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    switch (ctx->state) {
    case 0: /* INIT */
        if (hashLen > 48U) {
            hashLen = 48U;
        }

        sp_384_from_bin(ctx->u1, 7, hash, (int)hashLen);
        sp_384_from_mp(ctx->u2, 7, rm);
        sp_384_from_mp(ctx->s, 7, sm);
        sp_384_from_mp(ctx->p2.x, 7, pX);
        sp_384_from_mp(ctx->p2.y, 7, pY);
        sp_384_from_mp(ctx->p2.z, 7, pZ);
        ctx->state = 1;
        break;
    case 1: /* NORMS0 */
        sp_384_mul_7(ctx->s, ctx->s, p384_norm_order);
        err = sp_384_mod_7(ctx->s, ctx->s, p384_order);
        if (err == MP_OKAY)
            ctx->state = 2;
        break;
    case 2: /* NORMS1 */
        sp_384_norm_7(ctx->s);
        XMEMSET(&ctx->mont_inv_order_ctx, 0, sizeof(ctx->mont_inv_order_ctx));
        ctx->state = 3;
        break;
    case 3: /* NORMS2 */
        err = sp_384_mont_inv_order_7_nb((sp_ecc_ctx_t*)&ctx->mont_inv_order_ctx, ctx->s, ctx->s, ctx->tmp);
        if (err == MP_OKAY) {
            ctx->state = 4;
        }
        break;
    case 4: /* NORMS3 */
        sp_384_mont_mul_order_7(ctx->u1, ctx->u1, ctx->s);
        ctx->state = 5;
        break;
    case 5: /* NORMS4 */
        sp_384_mont_mul_order_7(ctx->u2, ctx->u2, ctx->s);
        XMEMSET(&ctx->mulmod_ctx, 0, sizeof(ctx->mulmod_ctx));
        ctx->state = 6;
        break;
    case 6: /* MULBASE */
        err = sp_384_ecc_mulmod_7_nb((sp_ecc_ctx_t*)&ctx->mulmod_ctx, &ctx->p1, &p384_base, ctx->u1, 0, 0, heap);
        if (err == MP_OKAY) {
            if (sp_384_iszero_7(ctx->p1.z)) {
                ctx->p1.infinity = 1;
            }
            XMEMSET(&ctx->mulmod_ctx, 0, sizeof(ctx->mulmod_ctx));
            ctx->state = 7;
        }
        break;
    case 7: /* MULMOD */
        err = sp_384_ecc_mulmod_7_nb((sp_ecc_ctx_t*)&ctx->mulmod_ctx, &ctx->p2, &ctx->p2, ctx->u2, 0, 0, heap);
        if (err == MP_OKAY) {
            if (sp_384_iszero_7(ctx->p2.z)) {
                ctx->p2.infinity = 1;
            }
            XMEMSET(&ctx->add_ctx, 0, sizeof(ctx->add_ctx));
            ctx->state = 8;
        }
        break;
    case 8: /* ADD */
        err = sp_384_proj_point_add_7_nb((sp_ecc_ctx_t*)&ctx->add_ctx, &ctx->p1, &ctx->p1, &ctx->p2, ctx->tmp);
        if (err == MP_OKAY)
            ctx->state = 9;
        break;
    case 9: /* MONT */
        /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
        /* Reload r and convert to Montgomery form. */
        sp_384_from_mp(ctx->u2, 7, rm);
        err = sp_384_mod_mul_norm_7(ctx->u2, ctx->u2, p384_mod);
        if (err == MP_OKAY)
            ctx->state = 10;
        break;
    case 10: /* SQR */
        /* u1 = r.z'.z' mod prime */
        sp_384_mont_sqr_7(ctx->p1.z, ctx->p1.z, p384_mod, p384_mp_mod);
        ctx->state = 11;
        break;
    case 11: /* MUL */
        sp_384_mont_mul_7(ctx->u1, ctx->u2, ctx->p1.z, p384_mod, p384_mp_mod);
        ctx->state = 12;
        break;
    case 12: /* RES */
    {
        sp_int64 c = 0;
        err = MP_OKAY; /* math okay, now check result */
        *res = (int)(sp_384_cmp_7(ctx->p1.x, ctx->u1) == 0);
        if (*res == 0) {
            sp_digit carry;

            /* Reload r and add order. */
            sp_384_from_mp(ctx->u2, 7, rm);
            carry = sp_384_add_7(ctx->u2, ctx->u2, p384_order);
            /* Carry means result is greater than mod and is not valid. */
            if (carry == 0) {
                sp_384_norm_7(ctx->u2);

                /* Compare with mod and if greater or equal then not valid. */
                c = sp_384_cmp_7(ctx->u2, p384_mod);
            }
        }
        if ((*res == 0) && (c < 0)) {
            /* Convert to Montogomery form */
            err = sp_384_mod_mul_norm_7(ctx->u2, ctx->u2, p384_mod);
            if (err == MP_OKAY) {
                /* u1 = (r + 1*order).z'.z' mod prime */
                sp_384_mont_mul_7(ctx->u1, ctx->u2, ctx->p1.z, p384_mod,
                                                            p384_mp_mod);
                *res = (int)(sp_384_cmp_7(ctx->p1.x, ctx->u1) == 0);
            }
        }
        break;
    }
    } /* switch */

    if (err == MP_OKAY && ctx->state != 12) {
        err = FP_WOULDBLOCK;
    }

    return err;
}
#endif /* WOLFSSL_SP_NONBLOCK */
#endif /* HAVE_ECC_VERIFY */

#ifdef HAVE_ECC_CHECK_KEY
/* Check that the x and y ordinates are a valid point on the curve.
 *
 * point  EC point.
 * heap   Heap to use if dynamically allocating.
 * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
 * not on the curve and MP_OKAY otherwise.
 */
static int sp_384_ecc_is_point_7(const sp_point_384* point,
    void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* t1 = NULL;
#else
    sp_digit t1[7 * 4];
#endif
    sp_digit* t2 = NULL;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    t1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7 * 4, heap, DYNAMIC_TYPE_ECC);
    if (t1 == NULL)
        err = MEMORY_E;
#endif
    (void)heap;

    if (err == MP_OKAY) {
        t2 = t1 + 2 * 7;

        /* y^2 - x^3 - a.x = b */
        sp_384_sqr_7(t1, point->y);
        (void)sp_384_mod_7(t1, t1, p384_mod);
        sp_384_sqr_7(t2, point->x);
        (void)sp_384_mod_7(t2, t2, p384_mod);
        sp_384_mul_7(t2, t2, point->x);
        (void)sp_384_mod_7(t2, t2, p384_mod);
        sp_384_mont_sub_7(t1, t1, t2, p384_mod);

        /* y^2 - x^3 + 3.x = b, when a = -3  */
        sp_384_mont_add_7(t1, t1, point->x, p384_mod);
        sp_384_mont_add_7(t1, t1, point->x, p384_mod);
        sp_384_mont_add_7(t1, t1, point->x, p384_mod);


        if (sp_384_cmp_7(t1, p384_b) != 0) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t1 != NULL)
        XFREE(t1, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

/* Check that the x and y ordinates are a valid point on the curve.
 *
 * pX  X ordinate of EC point.
 * pY  Y ordinate of EC point.
 * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
 * not on the curve and MP_OKAY otherwise.
 */
int sp_ecc_is_point_384(const mp_int* pX, const mp_int* pY)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_384* pub = NULL;
#else
    sp_point_384 pub[1];
#endif
    const byte one[1] = { 1 };
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    pub = (sp_point_384*)XMALLOC(sizeof(sp_point_384), NULL,
                                       DYNAMIC_TYPE_ECC);
    if (pub == NULL)
        err = MEMORY_E;
#endif

    if (err == MP_OKAY) {
        sp_384_from_mp(pub->x, 7, pX);
        sp_384_from_mp(pub->y, 7, pY);
        sp_384_from_bin(pub->z, 7, one, (int)sizeof(one));

        err = sp_384_ecc_is_point_7(pub, NULL);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (pub != NULL)
        XFREE(pub, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

/* Check that the private scalar generates the EC point (px, py), the point is
 * on the curve and the point has the correct order.
 *
 * pX     X ordinate of EC point.
 * pY     Y ordinate of EC point.
 * privm  Private scalar that generates EC point.
 * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
 * not on the curve, ECC_INF_E if the point does not have the correct order,
 * ECC_PRIV_KEY_E when the private scalar doesn't generate the EC point and
 * MP_OKAY otherwise.
 */
int sp_ecc_check_key_384(const mp_int* pX, const mp_int* pY,
    const mp_int* privm, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* priv = NULL;
    sp_point_384* pub = NULL;
#else
    sp_digit priv[7];
    sp_point_384 pub[2];
#endif
    sp_point_384* p = NULL;
    const byte one[1] = { 1 };
    int err = MP_OKAY;


    /* Quick check the lengs of public key ordinates and private key are in
     * range. Proper check later.
     */
    if (((mp_count_bits(pX) > 384) ||
        (mp_count_bits(pY) > 384) ||
        ((privm != NULL) && (mp_count_bits(privm) > 384)))) {
        err = ECC_OUT_OF_RANGE_E;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        pub = (sp_point_384*)XMALLOC(sizeof(sp_point_384) * 2, heap,
                                           DYNAMIC_TYPE_ECC);
        if (pub == NULL)
            err = MEMORY_E;
    }
    if (err == MP_OKAY && privm) {
        priv = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7, heap,
                                  DYNAMIC_TYPE_ECC);
        if (priv == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        p = pub + 1;

        sp_384_from_mp(pub->x, 7, pX);
        sp_384_from_mp(pub->y, 7, pY);
        sp_384_from_bin(pub->z, 7, one, (int)sizeof(one));
        if (privm)
            sp_384_from_mp(priv, 7, privm);

        /* Check point at infinitiy. */
        if ((sp_384_iszero_7(pub->x) != 0) &&
            (sp_384_iszero_7(pub->y) != 0)) {
            err = ECC_INF_E;
        }
    }

    /* Check range of X and Y */
    if ((err == MP_OKAY) &&
            ((sp_384_cmp_7(pub->x, p384_mod) >= 0) ||
             (sp_384_cmp_7(pub->y, p384_mod) >= 0))) {
        err = ECC_OUT_OF_RANGE_E;
    }

    if (err == MP_OKAY) {
        /* Check point is on curve */
        err = sp_384_ecc_is_point_7(pub, heap);
    }

    if (err == MP_OKAY) {
        /* Point * order = infinity */
            err = sp_384_ecc_mulmod_7(p, pub, p384_order, 1, 1, heap);
    }
    /* Check result is infinity */
    if ((err == MP_OKAY) && ((sp_384_iszero_7(p->x) == 0) ||
                             (sp_384_iszero_7(p->y) == 0))) {
        err = ECC_INF_E;
    }

    if (privm) {
        if (err == MP_OKAY) {
            /* Base * private = point */
                err = sp_384_ecc_mulmod_base_7(p, priv, 1, 1, heap);
        }
        /* Check result is public key */
        if ((err == MP_OKAY) &&
                ((sp_384_cmp_7(p->x, pub->x) != 0) ||
                 (sp_384_cmp_7(p->y, pub->y) != 0))) {
            err = ECC_PRIV_KEY_E;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (pub != NULL)
        XFREE(pub, heap, DYNAMIC_TYPE_ECC);
    if (priv != NULL)
        XFREE(priv, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}
#endif
#ifdef WOLFSSL_PUBLIC_ECC_ADD_DBL
/* Add two projective EC points together.
 * (pX, pY, pZ) + (qX, qY, qZ) = (rX, rY, rZ)
 *
 * pX   First EC point's X ordinate.
 * pY   First EC point's Y ordinate.
 * pZ   First EC point's Z ordinate.
 * qX   Second EC point's X ordinate.
 * qY   Second EC point's Y ordinate.
 * qZ   Second EC point's Z ordinate.
 * rX   Resultant EC point's X ordinate.
 * rY   Resultant EC point's Y ordinate.
 * rZ   Resultant EC point's Z ordinate.
 * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
 */
int sp_ecc_proj_add_point_384(mp_int* pX, mp_int* pY, mp_int* pZ,
                              mp_int* qX, mp_int* qY, mp_int* qZ,
                              mp_int* rX, mp_int* rY, mp_int* rZ)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* tmp = NULL;
    sp_point_384* p = NULL;
#else
    sp_digit tmp[2 * 7 * 6];
    sp_point_384 p[2];
#endif
    sp_point_384* q = NULL;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        p = (sp_point_384*)XMALLOC(sizeof(sp_point_384) * 2, NULL,
                                         DYNAMIC_TYPE_ECC);
        if (p == NULL)
            err = MEMORY_E;
    }
    if (err == MP_OKAY) {
        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 7 * 6, NULL,
                                 DYNAMIC_TYPE_ECC);
        if (tmp == NULL) {
            err = MEMORY_E;
        }
    }
#endif

    if (err == MP_OKAY) {
        q = p + 1;

        sp_384_from_mp(p->x, 7, pX);
        sp_384_from_mp(p->y, 7, pY);
        sp_384_from_mp(p->z, 7, pZ);
        sp_384_from_mp(q->x, 7, qX);
        sp_384_from_mp(q->y, 7, qY);
        sp_384_from_mp(q->z, 7, qZ);
        p->infinity = sp_384_iszero_7(p->x) &
                      sp_384_iszero_7(p->y);
        q->infinity = sp_384_iszero_7(q->x) &
                      sp_384_iszero_7(q->y);

            sp_384_proj_point_add_7(p, p, q, tmp);
    }

    if (err == MP_OKAY) {
        err = sp_384_to_mp(p->x, rX);
    }
    if (err == MP_OKAY) {
        err = sp_384_to_mp(p->y, rY);
    }
    if (err == MP_OKAY) {
        err = sp_384_to_mp(p->z, rZ);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (tmp != NULL)
        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
    if (p != NULL)
        XFREE(p, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

/* Double a projective EC point.
 * (pX, pY, pZ) + (pX, pY, pZ) = (rX, rY, rZ)
 *
 * pX   EC point's X ordinate.
 * pY   EC point's Y ordinate.
 * pZ   EC point's Z ordinate.
 * rX   Resultant EC point's X ordinate.
 * rY   Resultant EC point's Y ordinate.
 * rZ   Resultant EC point's Z ordinate.
 * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
 */
int sp_ecc_proj_dbl_point_384(mp_int* pX, mp_int* pY, mp_int* pZ,
                              mp_int* rX, mp_int* rY, mp_int* rZ)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* tmp = NULL;
    sp_point_384* p = NULL;
#else
    sp_digit tmp[2 * 7 * 2];
    sp_point_384 p[1];
#endif
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        p = (sp_point_384*)XMALLOC(sizeof(sp_point_384), NULL,
                                         DYNAMIC_TYPE_ECC);
        if (p == NULL)
            err = MEMORY_E;
    }
    if (err == MP_OKAY) {
        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 7 * 2, NULL,
                                 DYNAMIC_TYPE_ECC);
        if (tmp == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        sp_384_from_mp(p->x, 7, pX);
        sp_384_from_mp(p->y, 7, pY);
        sp_384_from_mp(p->z, 7, pZ);
        p->infinity = sp_384_iszero_7(p->x) &
                      sp_384_iszero_7(p->y);

            sp_384_proj_point_dbl_7(p, p, tmp);
    }

    if (err == MP_OKAY) {
        err = sp_384_to_mp(p->x, rX);
    }
    if (err == MP_OKAY) {
        err = sp_384_to_mp(p->y, rY);
    }
    if (err == MP_OKAY) {
        err = sp_384_to_mp(p->z, rZ);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (tmp != NULL)
        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
    if (p != NULL)
        XFREE(p, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

/* Map a projective EC point to affine in place.
 * pZ will be one.
 *
 * pX   EC point's X ordinate.
 * pY   EC point's Y ordinate.
 * pZ   EC point's Z ordinate.
 * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
 */
int sp_ecc_map_384(mp_int* pX, mp_int* pY, mp_int* pZ)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* tmp = NULL;
    sp_point_384* p = NULL;
#else
    sp_digit tmp[2 * 7 * 6];
    sp_point_384 p[1];
#endif
    int err = MP_OKAY;


#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        p = (sp_point_384*)XMALLOC(sizeof(sp_point_384), NULL,
                                         DYNAMIC_TYPE_ECC);
        if (p == NULL)
            err = MEMORY_E;
    }
    if (err == MP_OKAY) {
        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 7 * 6, NULL,
                                 DYNAMIC_TYPE_ECC);
        if (tmp == NULL)
            err = MEMORY_E;
    }
#endif
    if (err == MP_OKAY) {
        sp_384_from_mp(p->x, 7, pX);
        sp_384_from_mp(p->y, 7, pY);
        sp_384_from_mp(p->z, 7, pZ);
        p->infinity = sp_384_iszero_7(p->x) &
                      sp_384_iszero_7(p->y);

            sp_384_map_7(p, p, tmp);
    }

    if (err == MP_OKAY) {
        err = sp_384_to_mp(p->x, pX);
    }
    if (err == MP_OKAY) {
        err = sp_384_to_mp(p->y, pY);
    }
    if (err == MP_OKAY) {
        err = sp_384_to_mp(p->z, pZ);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (tmp != NULL)
        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
    if (p != NULL)
        XFREE(p, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}
#endif /* WOLFSSL_PUBLIC_ECC_ADD_DBL */
#ifdef HAVE_COMP_KEY
/* Find the square root of a number mod the prime of the curve.
 *
 * y  The number to operate on and the result.
 * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
 */
static int sp_384_mont_sqrt_7(sp_digit* y)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* t1 = NULL;
#else
    sp_digit t1[5 * 2 * 7];
#endif
    sp_digit* t2 = NULL;
    sp_digit* t3 = NULL;
    sp_digit* t4 = NULL;
    sp_digit* t5 = NULL;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    t1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * 5 * 2 * 7, NULL, DYNAMIC_TYPE_ECC);
    if (t1 == NULL)
        err = MEMORY_E;
#endif

    if (err == MP_OKAY) {
        t2 = t1 + 2 * 7;
        t3 = t1 + 4 * 7;
        t4 = t1 + 6 * 7;
        t5 = t1 + 8 * 7;

        {
            /* t2 = y ^ 0x2 */
            sp_384_mont_sqr_7(t2, y, p384_mod, p384_mp_mod);
            /* t1 = y ^ 0x3 */
            sp_384_mont_mul_7(t1, t2, y, p384_mod, p384_mp_mod);
            /* t5 = y ^ 0xc */
            sp_384_mont_sqr_n_7(t5, t1, 2, p384_mod, p384_mp_mod);
            /* t1 = y ^ 0xf */
            sp_384_mont_mul_7(t1, t1, t5, p384_mod, p384_mp_mod);
            /* t2 = y ^ 0x1e */
            sp_384_mont_sqr_7(t2, t1, p384_mod, p384_mp_mod);
            /* t3 = y ^ 0x1f */
            sp_384_mont_mul_7(t3, t2, y, p384_mod, p384_mp_mod);
            /* t2 = y ^ 0x3e0 */
            sp_384_mont_sqr_n_7(t2, t3, 5, p384_mod, p384_mp_mod);
            /* t1 = y ^ 0x3ff */
            sp_384_mont_mul_7(t1, t3, t2, p384_mod, p384_mp_mod);
            /* t2 = y ^ 0x7fe0 */
            sp_384_mont_sqr_n_7(t2, t1, 5, p384_mod, p384_mp_mod);
            /* t3 = y ^ 0x7fff */
            sp_384_mont_mul_7(t3, t3, t2, p384_mod, p384_mp_mod);
            /* t2 = y ^ 0x3fff800 */
            sp_384_mont_sqr_n_7(t2, t3, 15, p384_mod, p384_mp_mod);
            /* t4 = y ^ 0x3ffffff */
            sp_384_mont_mul_7(t4, t3, t2, p384_mod, p384_mp_mod);
            /* t2 = y ^ 0xffffffc000000 */
            sp_384_mont_sqr_n_7(t2, t4, 30, p384_mod, p384_mp_mod);
            /* t1 = y ^ 0xfffffffffffff */
            sp_384_mont_mul_7(t1, t4, t2, p384_mod, p384_mp_mod);
            /* t2 = y ^ 0xfffffffffffffff000000000000000 */
            sp_384_mont_sqr_n_7(t2, t1, 60, p384_mod, p384_mp_mod);
            /* t1 = y ^ 0xffffffffffffffffffffffffffffff */
            sp_384_mont_mul_7(t1, t1, t2, p384_mod, p384_mp_mod);
            /* t2 = y ^ 0xffffffffffffffffffffffffffffff000000000000000000000000000000 */
            sp_384_mont_sqr_n_7(t2, t1, 120, p384_mod, p384_mp_mod);
            /* t1 = y ^ 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
            sp_384_mont_mul_7(t1, t1, t2, p384_mod, p384_mp_mod);
            /* t2 = y ^ 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff8000 */
            sp_384_mont_sqr_n_7(t2, t1, 15, p384_mod, p384_mp_mod);
            /* t1 = y ^ 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
            sp_384_mont_mul_7(t1, t3, t2, p384_mod, p384_mp_mod);
            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff80000000 */
            sp_384_mont_sqr_n_7(t2, t1, 31, p384_mod, p384_mp_mod);
            /* t1 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffff */
            sp_384_mont_mul_7(t1, t4, t2, p384_mod, p384_mp_mod);
            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffff0 */
            sp_384_mont_sqr_n_7(t2, t1, 4, p384_mod, p384_mp_mod);
            /* t1 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffffc */
            sp_384_mont_mul_7(t1, t5, t2, p384_mod, p384_mp_mod);
            /* t2 = y ^ 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000 */
            sp_384_mont_sqr_n_7(t2, t1, 62, p384_mod, p384_mp_mod);
            /* t1 = y ^ 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000001 */
            sp_384_mont_mul_7(t1, y, t2, p384_mod, p384_mp_mod);
            /* t2 = y ^ 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbfffffffc00000000000000040000000 */
            sp_384_mont_sqr_n_7(y, t1, 30, p384_mod, p384_mp_mod);
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t1 != NULL)
        XFREE(t1, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}


/* Uncompress the point given the X ordinate.
 *
 * xm    X ordinate.
 * odd   Whether the Y ordinate is odd.
 * ym    Calculated Y ordinate.
 * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
 */
int sp_ecc_uncompress_384(mp_int* xm, int odd, mp_int* ym)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* x = NULL;
#else
    sp_digit x[4 * 7];
#endif
    sp_digit* y = NULL;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    x = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 7, NULL, DYNAMIC_TYPE_ECC);
    if (x == NULL)
        err = MEMORY_E;
#endif

    if (err == MP_OKAY) {
        y = x + 2 * 7;

        sp_384_from_mp(x, 7, xm);
        err = sp_384_mod_mul_norm_7(x, x, p384_mod);
    }
    if (err == MP_OKAY) {
        /* y = x^3 */
        {
            sp_384_mont_sqr_7(y, x, p384_mod, p384_mp_mod);
            sp_384_mont_mul_7(y, y, x, p384_mod, p384_mp_mod);
        }
        /* y = x^3 - 3x */
        sp_384_mont_sub_7(y, y, x, p384_mod);
        sp_384_mont_sub_7(y, y, x, p384_mod);
        sp_384_mont_sub_7(y, y, x, p384_mod);
        /* y = x^3 - 3x + b */
        err = sp_384_mod_mul_norm_7(x, p384_b, p384_mod);
    }
    if (err == MP_OKAY) {
        sp_384_mont_add_7(y, y, x, p384_mod);
        /* y = sqrt(x^3 - 3x + b) */
        err = sp_384_mont_sqrt_7(y);
    }
    if (err == MP_OKAY) {
        XMEMSET(y + 7, 0, 7U * sizeof(sp_digit));
        sp_384_mont_reduce_7(y, p384_mod, p384_mp_mod);
        if ((((word32)y[0] ^ (word32)odd) & 1U) != 0U) {
            sp_384_mont_sub_7(y, p384_mod, y, p384_mod);
        }

        err = sp_384_to_mp(y, ym);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (x != NULL)
        XFREE(x, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}
#endif
#endif /* WOLFSSL_SP_384 */
#ifdef WOLFSSL_SP_521

/* Point structure to use. */
typedef struct sp_point_521 {
    /* X ordinate of point. */
    sp_digit x[2 * 9];
    /* Y ordinate of point. */
    sp_digit y[2 * 9];
    /* Z ordinate of point. */
    sp_digit z[2 * 9];
    /* Indicates point is at infinity. */
    int infinity;
} sp_point_521;

/* The modulus (prime) of the curve P521. */
static const sp_digit p521_mod[9] = {
    0x3ffffffffffffffL,0x3ffffffffffffffL,0x3ffffffffffffffL,0x3ffffffffffffffL,
    0x3ffffffffffffffL,0x3ffffffffffffffL,0x3ffffffffffffffL,0x3ffffffffffffffL,
    0x1ffffffffffffffL
};
/* The Montgomery normalizer for modulus of the curve P521. */
static const sp_digit p521_norm_mod[9] = {
    0x000000000000001L,0x000000000000000L,0x000000000000000L,0x000000000000000L,
    0x000000000000000L,0x000000000000000L,0x000000000000000L,0x000000000000000L,
    0x000000000000000L
};
/* The Montgomery multiplier for modulus of the curve P521. */
static sp_digit p521_mp_mod = 0x00000000000001;
#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
                                            defined(HAVE_ECC_VERIFY)
/* The order of the curve P521. */
static const sp_digit p521_order[9] = {
    0x36fb71e91386409L,0x1726e226711ebaeL,0x0148f709a5d03bbL,0x20efcbe59adff30L,
    0x3fffffffa518687L,0x3ffffffffffffffL,0x3ffffffffffffffL,0x3ffffffffffffffL,
    0x1ffffffffffffffL
};
#endif
/* The order of the curve P521 minus 2. */
static const sp_digit p521_order2[9] = {
    0x36fb71e91386407L,0x1726e226711ebaeL,0x0148f709a5d03bbL,0x20efcbe59adff30L,
    0x3fffffffa518687L,0x3ffffffffffffffL,0x3ffffffffffffffL,0x3ffffffffffffffL,
    0x1ffffffffffffffL
};
#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
/* The Montgomery normalizer for order of the curve P521. */
static const sp_digit p521_norm_order[9] = {
    0x09048e16ec79bf7L,0x28d91dd98ee1451L,0x3eb708f65a2fc44L,0x1f10341a65200cfL,
    0x000000005ae7978L,0x000000000000000L,0x000000000000000L,0x000000000000000L,
    0x000000000000000L
};
#endif
#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
/* The Montgomery multiplier for order of the curve P521. */
static sp_digit p521_mp_order = 0x12f5ccd79a995c7L;
#endif
/* The base point of curve P521. */
static const sp_point_521 p521_base = {
    /* X ordinate */
    {
        0x17e7e31c2e5bd66L,0x22cf0615a90a6feL,0x0127a2ffa8de334L,
        0x1dfbf9d64a3f877L,0x06b4d3dbaa14b5eL,0x14fed487e0a2bd8L,
        0x15b4429c6481390L,0x3a73678fb2d988eL,0x0c6858e06b70404L,
        (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0,
        (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0
    },
    /* Y ordinate */
    {
        0x0be94769fd16650L,0x31c21a89cb09022L,0x39013fad0761353L,
        0x2657bd099031542L,0x3273e662c97ee72L,0x1e6d11a05ebef45L,
        0x3d1bd998f544495L,0x3001172297ed0b1L,0x11839296a789a3bL,
        (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0,
        (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0
    },
    /* Z ordinate */
    {
        0x000000000000001L,0x000000000000000L,0x000000000000000L,
        0x000000000000000L,0x000000000000000L,0x000000000000000L,
        0x000000000000000L,0x000000000000000L,0x000000000000000L,
        (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0,
        (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0
    },
    /* infinity */
    0
};
#if defined(HAVE_ECC_CHECK_KEY) || defined(HAVE_COMP_KEY)
static const sp_digit p521_b[9] = {
    0x3451fd46b503f00L,0x0f7e20f4b0d3c7bL,0x00bd3bb1bf07357L,0x147b1fa4dec594bL,
    0x18ef109e1561939L,0x26cc57cee2d2264L,0x0540eea2da725b9L,0x2687e4a688682daL,
    0x051953eb9618e1cL
};
#endif

#ifdef WOLFSSL_SP_SMALL
/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_521_mul_9(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    int i;
    int imax;
    int k;
    sp_uint128 c;
    sp_uint128 lo;

    c = ((sp_uint128)a[8]) * b[8];
    r[17] = (sp_digit)(c >> 58);
    c &= 0x3ffffffffffffffL;
    for (k = 15; k >= 0; k--) {
        if (k >= 9) {
            i = k - 8;
            imax = 8;
        }
        else {
            i = 0;
            imax = k;
        }
        lo = 0;
        for (; i <= imax; i++) {
            lo += ((sp_uint128)a[i]) * b[k - i];
        }
        c += lo >> 58;
        r[k + 2] += (sp_digit)(c >> 58);
        r[k + 1]  = (sp_digit)(c & 0x3ffffffffffffffL);
        c = lo & 0x3ffffffffffffffL;
    }
    r[0] = (sp_digit)c;
}

#else
/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_521_mul_9(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    sp_int128 t0;
    sp_int128 t1;
    sp_digit t[9];

    t0 = ((sp_int128)a[ 0]) * b[ 0];
    t1 = ((sp_int128)a[ 0]) * b[ 1]
       + ((sp_int128)a[ 1]) * b[ 0];
    t[ 0] = t0 & 0x3ffffffffffffffL; t1 += t0 >> 58;
    t0 = ((sp_int128)a[ 0]) * b[ 2]
       + ((sp_int128)a[ 1]) * b[ 1]
       + ((sp_int128)a[ 2]) * b[ 0];
    t[ 1] = t1 & 0x3ffffffffffffffL; t0 += t1 >> 58;
    t1 = ((sp_int128)a[ 0]) * b[ 3]
       + ((sp_int128)a[ 1]) * b[ 2]
       + ((sp_int128)a[ 2]) * b[ 1]
       + ((sp_int128)a[ 3]) * b[ 0];
    t[ 2] = t0 & 0x3ffffffffffffffL; t1 += t0 >> 58;
    t0 = ((sp_int128)a[ 0]) * b[ 4]
       + ((sp_int128)a[ 1]) * b[ 3]
       + ((sp_int128)a[ 2]) * b[ 2]
       + ((sp_int128)a[ 3]) * b[ 1]
       + ((sp_int128)a[ 4]) * b[ 0];
    t[ 3] = t1 & 0x3ffffffffffffffL; t0 += t1 >> 58;
    t1 = ((sp_int128)a[ 0]) * b[ 5]
       + ((sp_int128)a[ 1]) * b[ 4]
       + ((sp_int128)a[ 2]) * b[ 3]
       + ((sp_int128)a[ 3]) * b[ 2]
       + ((sp_int128)a[ 4]) * b[ 1]
       + ((sp_int128)a[ 5]) * b[ 0];
    t[ 4] = t0 & 0x3ffffffffffffffL; t1 += t0 >> 58;
    t0 = ((sp_int128)a[ 0]) * b[ 6]
       + ((sp_int128)a[ 1]) * b[ 5]
       + ((sp_int128)a[ 2]) * b[ 4]
       + ((sp_int128)a[ 3]) * b[ 3]
       + ((sp_int128)a[ 4]) * b[ 2]
       + ((sp_int128)a[ 5]) * b[ 1]
       + ((sp_int128)a[ 6]) * b[ 0];
    t[ 5] = t1 & 0x3ffffffffffffffL; t0 += t1 >> 58;
    t1 = ((sp_int128)a[ 0]) * b[ 7]
       + ((sp_int128)a[ 1]) * b[ 6]
       + ((sp_int128)a[ 2]) * b[ 5]
       + ((sp_int128)a[ 3]) * b[ 4]
       + ((sp_int128)a[ 4]) * b[ 3]
       + ((sp_int128)a[ 5]) * b[ 2]
       + ((sp_int128)a[ 6]) * b[ 1]
       + ((sp_int128)a[ 7]) * b[ 0];
    t[ 6] = t0 & 0x3ffffffffffffffL; t1 += t0 >> 58;
    t0 = ((sp_int128)a[ 0]) * b[ 8]
       + ((sp_int128)a[ 1]) * b[ 7]
       + ((sp_int128)a[ 2]) * b[ 6]
       + ((sp_int128)a[ 3]) * b[ 5]
       + ((sp_int128)a[ 4]) * b[ 4]
       + ((sp_int128)a[ 5]) * b[ 3]
       + ((sp_int128)a[ 6]) * b[ 2]
       + ((sp_int128)a[ 7]) * b[ 1]
       + ((sp_int128)a[ 8]) * b[ 0];
    t[ 7] = t1 & 0x3ffffffffffffffL; t0 += t1 >> 58;
    t1 = ((sp_int128)a[ 1]) * b[ 8]
       + ((sp_int128)a[ 2]) * b[ 7]
       + ((sp_int128)a[ 3]) * b[ 6]
       + ((sp_int128)a[ 4]) * b[ 5]
       + ((sp_int128)a[ 5]) * b[ 4]
       + ((sp_int128)a[ 6]) * b[ 3]
       + ((sp_int128)a[ 7]) * b[ 2]
       + ((sp_int128)a[ 8]) * b[ 1];
    t[ 8] = t0 & 0x3ffffffffffffffL; t1 += t0 >> 58;
    t0 = ((sp_int128)a[ 2]) * b[ 8]
       + ((sp_int128)a[ 3]) * b[ 7]
       + ((sp_int128)a[ 4]) * b[ 6]
       + ((sp_int128)a[ 5]) * b[ 5]
       + ((sp_int128)a[ 6]) * b[ 4]
       + ((sp_int128)a[ 7]) * b[ 3]
       + ((sp_int128)a[ 8]) * b[ 2];
    r[ 9] = t1 & 0x3ffffffffffffffL; t0 += t1 >> 58;
    t1 = ((sp_int128)a[ 3]) * b[ 8]
       + ((sp_int128)a[ 4]) * b[ 7]
       + ((sp_int128)a[ 5]) * b[ 6]
       + ((sp_int128)a[ 6]) * b[ 5]
       + ((sp_int128)a[ 7]) * b[ 4]
       + ((sp_int128)a[ 8]) * b[ 3];
    r[10] = t0 & 0x3ffffffffffffffL; t1 += t0 >> 58;
    t0 = ((sp_int128)a[ 4]) * b[ 8]
       + ((sp_int128)a[ 5]) * b[ 7]
       + ((sp_int128)a[ 6]) * b[ 6]
       + ((sp_int128)a[ 7]) * b[ 5]
       + ((sp_int128)a[ 8]) * b[ 4];
    r[11] = t1 & 0x3ffffffffffffffL; t0 += t1 >> 58;
    t1 = ((sp_int128)a[ 5]) * b[ 8]
       + ((sp_int128)a[ 6]) * b[ 7]
       + ((sp_int128)a[ 7]) * b[ 6]
       + ((sp_int128)a[ 8]) * b[ 5];
    r[12] = t0 & 0x3ffffffffffffffL; t1 += t0 >> 58;
    t0 = ((sp_int128)a[ 6]) * b[ 8]
       + ((sp_int128)a[ 7]) * b[ 7]
       + ((sp_int128)a[ 8]) * b[ 6];
    r[13] = t1 & 0x3ffffffffffffffL; t0 += t1 >> 58;
    t1 = ((sp_int128)a[ 7]) * b[ 8]
       + ((sp_int128)a[ 8]) * b[ 7];
    r[14] = t0 & 0x3ffffffffffffffL; t1 += t0 >> 58;
    t0 = ((sp_int128)a[ 8]) * b[ 8];
    r[15] = t1 & 0x3ffffffffffffffL; t0 += t1 >> 58;
    r[16] = t0 & 0x3ffffffffffffffL;
    r[17] = (sp_digit)(t0 >> 58);
    XMEMCPY(r, t, sizeof(t));
}

#endif /* WOLFSSL_SP_SMALL */
#ifdef WOLFSSL_SP_SMALL
/* Square a and put result in r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_521_sqr_9(sp_digit* r, const sp_digit* a)
{
    int i;
    int imax;
    int k;
    sp_uint128 c;
    sp_uint128 t;

    c = ((sp_uint128)a[8]) * a[8];
    r[17] = (sp_digit)(c >> 58);
    c = (c & 0x3ffffffffffffffL) << 58;
    for (k = 15; k >= 0; k--) {
        i = (k + 1) / 2;
        if ((k & 1) == 0) {
           c += ((sp_uint128)a[i]) * a[i];
           i++;
        }
        if (k < 8) {
            imax = k;
        }
        else {
            imax = 8;
        }
        t = 0;
        for (; i <= imax; i++) {
            t += ((sp_uint128)a[i]) * a[k - i];
        }
        c += t * 2;

        r[k + 2] += (sp_digit) (c >> 116);
        r[k + 1]  = (sp_digit)((c >> 58) & 0x3ffffffffffffffL);
        c = (c & 0x3ffffffffffffffL) << 58;
    }
    r[0] = (sp_digit)(c >> 58);
}

#else
/* Square a and put result in r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_521_sqr_9(sp_digit* r, const sp_digit* a)
{
    sp_int128 t0;
    sp_int128 t1;
    sp_digit t[9];

    t0 =  ((sp_int128)a[ 0]) * a[ 0];
    t1 = (((sp_int128)a[ 0]) * a[ 1]) * 2;
    t[ 0] = t0 & 0x3ffffffffffffffL; t1 += t0 >> 58;
    t0 = (((sp_int128)a[ 0]) * a[ 2]) * 2
       +  ((sp_int128)a[ 1]) * a[ 1];
    t[ 1] = t1 & 0x3ffffffffffffffL; t0 += t1 >> 58;
    t1 = (((sp_int128)a[ 0]) * a[ 3]
       +  ((sp_int128)a[ 1]) * a[ 2]) * 2;
    t[ 2] = t0 & 0x3ffffffffffffffL; t1 += t0 >> 58;
    t0 = (((sp_int128)a[ 0]) * a[ 4]
       +  ((sp_int128)a[ 1]) * a[ 3]) * 2
       +  ((sp_int128)a[ 2]) * a[ 2];
    t[ 3] = t1 & 0x3ffffffffffffffL; t0 += t1 >> 58;
    t1 = (((sp_int128)a[ 0]) * a[ 5]
       +  ((sp_int128)a[ 1]) * a[ 4]
       +  ((sp_int128)a[ 2]) * a[ 3]) * 2;
    t[ 4] = t0 & 0x3ffffffffffffffL; t1 += t0 >> 58;
    t0 = (((sp_int128)a[ 0]) * a[ 6]
       +  ((sp_int128)a[ 1]) * a[ 5]
       +  ((sp_int128)a[ 2]) * a[ 4]) * 2
       +  ((sp_int128)a[ 3]) * a[ 3];
    t[ 5] = t1 & 0x3ffffffffffffffL; t0 += t1 >> 58;
    t1 = (((sp_int128)a[ 0]) * a[ 7]
       +  ((sp_int128)a[ 1]) * a[ 6]
       +  ((sp_int128)a[ 2]) * a[ 5]
       +  ((sp_int128)a[ 3]) * a[ 4]) * 2;
    t[ 6] = t0 & 0x3ffffffffffffffL; t1 += t0 >> 58;
    t0 = (((sp_int128)a[ 0]) * a[ 8]
       +  ((sp_int128)a[ 1]) * a[ 7]
       +  ((sp_int128)a[ 2]) * a[ 6]
       +  ((sp_int128)a[ 3]) * a[ 5]) * 2
       +  ((sp_int128)a[ 4]) * a[ 4];
    t[ 7] = t1 & 0x3ffffffffffffffL; t0 += t1 >> 58;
    t1 = (((sp_int128)a[ 1]) * a[ 8]
       +  ((sp_int128)a[ 2]) * a[ 7]
       +  ((sp_int128)a[ 3]) * a[ 6]
       +  ((sp_int128)a[ 4]) * a[ 5]) * 2;
    t[ 8] = t0 & 0x3ffffffffffffffL; t1 += t0 >> 58;
    t0 = (((sp_int128)a[ 2]) * a[ 8]
       +  ((sp_int128)a[ 3]) * a[ 7]
       +  ((sp_int128)a[ 4]) * a[ 6]) * 2
       +  ((sp_int128)a[ 5]) * a[ 5];
    r[ 9] = t1 & 0x3ffffffffffffffL; t0 += t1 >> 58;
    t1 = (((sp_int128)a[ 3]) * a[ 8]
       +  ((sp_int128)a[ 4]) * a[ 7]
       +  ((sp_int128)a[ 5]) * a[ 6]) * 2;
    r[10] = t0 & 0x3ffffffffffffffL; t1 += t0 >> 58;
    t0 = (((sp_int128)a[ 4]) * a[ 8]
       +  ((sp_int128)a[ 5]) * a[ 7]) * 2
       +  ((sp_int128)a[ 6]) * a[ 6];
    r[11] = t1 & 0x3ffffffffffffffL; t0 += t1 >> 58;
    t1 = (((sp_int128)a[ 5]) * a[ 8]
       +  ((sp_int128)a[ 6]) * a[ 7]) * 2;
    r[12] = t0 & 0x3ffffffffffffffL; t1 += t0 >> 58;
    t0 = (((sp_int128)a[ 6]) * a[ 8]) * 2
       +  ((sp_int128)a[ 7]) * a[ 7];
    r[13] = t1 & 0x3ffffffffffffffL; t0 += t1 >> 58;
    t1 = (((sp_int128)a[ 7]) * a[ 8]) * 2;
    r[14] = t0 & 0x3ffffffffffffffL; t1 += t0 >> 58;
    t0 =  ((sp_int128)a[ 8]) * a[ 8];
    r[15] = t1 & 0x3ffffffffffffffL; t0 += t1 >> 58;
    r[16] = t0 & 0x3ffffffffffffffL;
    r[17] = (sp_digit)(t0 >> 58);
    XMEMCPY(r, t, sizeof(t));
}

#endif /* WOLFSSL_SP_SMALL */
#ifdef WOLFSSL_SP_SMALL
/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_521_add_9(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 9; i++) {
        r[i] = a[i] + b[i];
    }

    return 0;
}
#else
/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_521_add_9(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    r[ 0] = a[ 0] + b[ 0];
    r[ 1] = a[ 1] + b[ 1];
    r[ 2] = a[ 2] + b[ 2];
    r[ 3] = a[ 3] + b[ 3];
    r[ 4] = a[ 4] + b[ 4];
    r[ 5] = a[ 5] + b[ 5];
    r[ 6] = a[ 6] + b[ 6];
    r[ 7] = a[ 7] + b[ 7];
    r[ 8] = a[ 8] + b[ 8];

    return 0;
}

#endif /* WOLFSSL_SP_SMALL */
#ifdef WOLFSSL_SP_SMALL
/* Sub b from a into r. (r = a - b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_521_sub_9(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 9; i++) {
        r[i] = a[i] - b[i];
    }

    return 0;
}

#else
/* Sub b from a into r. (r = a - b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_521_sub_9(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    r[ 0] = a[ 0] - b[ 0];
    r[ 1] = a[ 1] - b[ 1];
    r[ 2] = a[ 2] - b[ 2];
    r[ 3] = a[ 3] - b[ 3];
    r[ 4] = a[ 4] - b[ 4];
    r[ 5] = a[ 5] - b[ 5];
    r[ 6] = a[ 6] - b[ 6];
    r[ 7] = a[ 7] - b[ 7];
    r[ 8] = a[ 8] - b[ 8];

    return 0;
}

#endif /* WOLFSSL_SP_SMALL */
/* Convert an mp_int to an array of sp_digit.
 *
 * r  A single precision integer.
 * size  Maximum number of bytes to convert
 * a  A multi-precision integer.
 */
static void sp_521_from_mp(sp_digit* r, int size, const mp_int* a)
{
#if DIGIT_BIT == 58
    int i;
    sp_digit j = (sp_digit)0 - (sp_digit)a->used;
    int o = 0;

    for (i = 0; i < size; i++) {
        sp_digit mask = (sp_digit)0 - (j >> 57);
        r[i] = a->dp[o] & mask;
        j++;
        o += (int)(j >> 57);
    }
#elif DIGIT_BIT > 58
    unsigned int i;
    int j = 0;
    word32 s = 0;

    r[0] = 0;
    for (i = 0; i < (unsigned int)a->used && j < size; i++) {
        r[j] |= ((sp_digit)a->dp[i] << s);
        r[j] &= 0x3ffffffffffffffL;
        s = 58U - s;
        if (j + 1 >= size) {
            break;
        }
        /* lint allow cast of mismatch word32 and mp_digit */
        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
        while ((s + 58U) <= (word32)DIGIT_BIT) {
            s += 58U;
            r[j] &= 0x3ffffffffffffffL;
            if (j + 1 >= size) {
                break;
            }
            if (s < (word32)DIGIT_BIT) {
                /* lint allow cast of mismatch word32 and mp_digit */
                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
            }
            else {
                r[++j] = (sp_digit)0;
            }
        }
        s = (word32)DIGIT_BIT - s;
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
#else
    unsigned int i;
    int j = 0;
    int s = 0;

    r[0] = 0;
    for (i = 0; i < (unsigned int)a->used && j < size; i++) {
        r[j] |= ((sp_digit)a->dp[i]) << s;
        if (s + DIGIT_BIT >= 58) {
            r[j] &= 0x3ffffffffffffffL;
            if (j + 1 >= size) {
                break;
            }
            s = 58 - s;
            if (s == DIGIT_BIT) {
                r[++j] = 0;
                s = 0;
            }
            else {
                r[++j] = a->dp[i] >> s;
                s = DIGIT_BIT - s;
            }
        }
        else {
            s += DIGIT_BIT;
        }
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
#endif
}

/* Convert a point of type ecc_point to type sp_point_521.
 *
 * p   Point of type sp_point_521 (result).
 * pm  Point of type ecc_point.
 */
static void sp_521_point_from_ecc_point_9(sp_point_521* p,
        const ecc_point* pm)
{
    XMEMSET(p->x, 0, sizeof(p->x));
    XMEMSET(p->y, 0, sizeof(p->y));
    XMEMSET(p->z, 0, sizeof(p->z));
    sp_521_from_mp(p->x, 9, pm->x);
    sp_521_from_mp(p->y, 9, pm->y);
    sp_521_from_mp(p->z, 9, pm->z);
    p->infinity = 0;
}

/* Convert an array of sp_digit to an mp_int.
 *
 * a  A single precision integer.
 * r  A multi-precision integer.
 */
static int sp_521_to_mp(const sp_digit* a, mp_int* r)
{
    int err;

    err = mp_grow(r, (521 + DIGIT_BIT - 1) / DIGIT_BIT);
    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
#if DIGIT_BIT == 58
        XMEMCPY(r->dp, a, sizeof(sp_digit) * 9);
        r->used = 9;
        mp_clamp(r);
#elif DIGIT_BIT < 58
        int i;
        int j = 0;
        int s = 0;

        r->dp[0] = 0;
        for (i = 0; i < 9; i++) {
            r->dp[j] |= (mp_digit)(a[i] << s);
            r->dp[j] &= ((sp_digit)1 << DIGIT_BIT) - 1;
            s = DIGIT_BIT - s;
            r->dp[++j] = (mp_digit)(a[i] >> s);
            while (s + DIGIT_BIT <= 58) {
                s += DIGIT_BIT;
                r->dp[j++] &= ((sp_digit)1 << DIGIT_BIT) - 1;
                if (s == SP_WORD_SIZE) {
                    r->dp[j] = 0;
                }
                else {
                    r->dp[j] = (mp_digit)(a[i] >> s);
                }
            }
            s = 58 - s;
        }
        r->used = (521 + DIGIT_BIT - 1) / DIGIT_BIT;
        mp_clamp(r);
#else
        int i;
        int j = 0;
        int s = 0;

        r->dp[0] = 0;
        for (i = 0; i < 9; i++) {
            r->dp[j] |= ((mp_digit)a[i]) << s;
            if (s + 58 >= DIGIT_BIT) {
    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
                r->dp[j] &= ((sp_digit)1 << DIGIT_BIT) - 1;
    #endif
                s = DIGIT_BIT - s;
                r->dp[++j] = a[i] >> s;
                s = 58 - s;
            }
            else {
                s += 58;
            }
        }
        r->used = (521 + DIGIT_BIT - 1) / DIGIT_BIT;
        mp_clamp(r);
#endif
    }

    return err;
}

/* Convert a point of type sp_point_521 to type ecc_point.
 *
 * p   Point of type sp_point_521.
 * pm  Point of type ecc_point (result).
 * returns MEMORY_E when allocation of memory in ecc_point fails otherwise
 * MP_OKAY.
 */
static int sp_521_point_to_ecc_point_9(const sp_point_521* p, ecc_point* pm)
{
    int err;

    err = sp_521_to_mp(p->x, pm->x);
    if (err == MP_OKAY) {
        err = sp_521_to_mp(p->y, pm->y);
    }
    if (err == MP_OKAY) {
        err = sp_521_to_mp(p->z, pm->z);
    }

    return err;
}

/* Normalize the values in each word to 58 bits.
 *
 * a  Array of sp_digit to normalize.
 */
static void sp_521_norm_9(sp_digit* a)
{
#ifdef WOLFSSL_SP_SMALL
    int i;
    for (i = 0; i < 8; i++) {
        a[i+1] += a[i] >> 58;
        a[i] &= 0x3ffffffffffffffL;
    }
#else
    a[1] += a[0] >> 58; a[0] &= 0x3ffffffffffffffL;
    a[2] += a[1] >> 58; a[1] &= 0x3ffffffffffffffL;
    a[3] += a[2] >> 58; a[2] &= 0x3ffffffffffffffL;
    a[4] += a[3] >> 58; a[3] &= 0x3ffffffffffffffL;
    a[5] += a[4] >> 58; a[4] &= 0x3ffffffffffffffL;
    a[6] += a[5] >> 58; a[5] &= 0x3ffffffffffffffL;
    a[7] += a[6] >> 58; a[6] &= 0x3ffffffffffffffL;
    a[8] += a[7] >> 58; a[7] &= 0x3ffffffffffffffL;
#endif /* WOLFSSL_SP_SMALL */
}

/* Reduce the number back to 521 bits using Montgomery reduction.
 *
 * a   A single precision number to reduce in place.
 * m   The single precision number representing the modulus.
 * mp  The digit representing the negative inverse of m mod 2^n.
 */
static void sp_521_mont_reduce_9(sp_digit* a, const sp_digit* m, sp_digit mp)
{
    int i;

    (void)m;
    (void)mp;

    for (i = 0; i < 8; i++) {
        a[i] += ((a[8 + i] >> 57) + (a[8 + i + 1] << 1)) & 0x3ffffffffffffffL;
    }
    a[8] &= 0x1ffffffffffffff;
    a[8] += ((a[16] >> 57) + (a[17] << 1)) & 0x3ffffffffffffffL;

    sp_521_norm_9(a);

    a[0] += a[8] >> 57;
    a[8] &= 0x1ffffffffffffff;
}

/* Compare a with b in constant time.
 *
 * a  A single precision integer.
 * b  A single precision integer.
 * return -ve, 0 or +ve if a is less than, equal to or greater than b
 * respectively.
 */
static sp_digit sp_521_cmp_9(const sp_digit* a, const sp_digit* b)
{
    sp_digit r = 0;
#ifdef WOLFSSL_SP_SMALL
    int i;

    for (i=8; i>=0; i--) {
        r |= (a[i] - b[i]) & ~(((sp_digit)0 - r) >> 57);
    }
#else
    r |= (a[ 8] - b[ 8]) & (0 - (sp_digit)1);
    r |= (a[ 7] - b[ 7]) & ~(((sp_digit)0 - r) >> 57);
    r |= (a[ 6] - b[ 6]) & ~(((sp_digit)0 - r) >> 57);
    r |= (a[ 5] - b[ 5]) & ~(((sp_digit)0 - r) >> 57);
    r |= (a[ 4] - b[ 4]) & ~(((sp_digit)0 - r) >> 57);
    r |= (a[ 3] - b[ 3]) & ~(((sp_digit)0 - r) >> 57);
    r |= (a[ 2] - b[ 2]) & ~(((sp_digit)0 - r) >> 57);
    r |= (a[ 1] - b[ 1]) & ~(((sp_digit)0 - r) >> 57);
    r |= (a[ 0] - b[ 0]) & ~(((sp_digit)0 - r) >> 57);
#endif /* WOLFSSL_SP_SMALL */

    return r;
}

/* Conditionally subtract b from a using the mask m.
 * m is -1 to subtract and 0 when not.
 *
 * r  A single precision number representing condition subtract result.
 * a  A single precision number to subtract from.
 * b  A single precision number to subtract.
 * m  Mask value to apply.
 */
static void sp_521_cond_sub_9(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
#ifdef WOLFSSL_SP_SMALL
    int i;

    for (i = 0; i < 9; i++) {
        r[i] = a[i] - (b[i] & m);
    }
#else
    r[ 0] = a[ 0] - (b[ 0] & m);
    r[ 1] = a[ 1] - (b[ 1] & m);
    r[ 2] = a[ 2] - (b[ 2] & m);
    r[ 3] = a[ 3] - (b[ 3] & m);
    r[ 4] = a[ 4] - (b[ 4] & m);
    r[ 5] = a[ 5] - (b[ 5] & m);
    r[ 6] = a[ 6] - (b[ 6] & m);
    r[ 7] = a[ 7] - (b[ 7] & m);
    r[ 8] = a[ 8] - (b[ 8] & m);
#endif /* WOLFSSL_SP_SMALL */
}

/* Mul a by scalar b and add into r. (r += a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_521_mul_add_9(sp_digit* r, const sp_digit* a,
        const sp_digit b)
{
#ifdef WOLFSSL_SP_SMALL
    sp_int128 tb = b;
    sp_int128 t[4];
    int i;

    t[0] = 0;
    for (i = 0; i < 8; i += 4) {
        t[0] += (tb * a[i+0]) + r[i+0];
        t[1]  = (tb * a[i+1]) + r[i+1];
        t[2]  = (tb * a[i+2]) + r[i+2];
        t[3]  = (tb * a[i+3]) + r[i+3];
        r[i+0] = t[0] & 0x3ffffffffffffffL;
        t[1] += t[0] >> 58;
        r[i+1] = t[1] & 0x3ffffffffffffffL;
        t[2] += t[1] >> 58;
        r[i+2] = t[2] & 0x3ffffffffffffffL;
        t[3] += t[2] >> 58;
        r[i+3] = t[3] & 0x3ffffffffffffffL;
        t[0]  = t[3] >> 58;
    }
    t[0] += (tb * a[8]) + r[8];
    r[8] = t[0] & 0x3ffffffffffffffL;
    r[9] +=  (sp_digit)(t[0] >> 58);
#else
    sp_int128 tb = b;
    sp_int128 t[9];

    t[ 0] = tb * a[ 0];
    t[ 1] = tb * a[ 1];
    t[ 2] = tb * a[ 2];
    t[ 3] = tb * a[ 3];
    t[ 4] = tb * a[ 4];
    t[ 5] = tb * a[ 5];
    t[ 6] = tb * a[ 6];
    t[ 7] = tb * a[ 7];
    t[ 8] = tb * a[ 8];
    r[ 0] += (sp_digit)                 (t[ 0] & 0x3ffffffffffffffL);
    r[ 1] += (sp_digit)((t[ 0] >> 58) + (t[ 1] & 0x3ffffffffffffffL));
    r[ 2] += (sp_digit)((t[ 1] >> 58) + (t[ 2] & 0x3ffffffffffffffL));
    r[ 3] += (sp_digit)((t[ 2] >> 58) + (t[ 3] & 0x3ffffffffffffffL));
    r[ 4] += (sp_digit)((t[ 3] >> 58) + (t[ 4] & 0x3ffffffffffffffL));
    r[ 5] += (sp_digit)((t[ 4] >> 58) + (t[ 5] & 0x3ffffffffffffffL));
    r[ 6] += (sp_digit)((t[ 5] >> 58) + (t[ 6] & 0x3ffffffffffffffL));
    r[ 7] += (sp_digit)((t[ 6] >> 58) + (t[ 7] & 0x3ffffffffffffffL));
    r[ 8] += (sp_digit)((t[ 7] >> 58) + (t[ 8] & 0x3ffffffffffffffL));
    r[ 9] += (sp_digit) (t[ 8] >> 58);
#endif /* WOLFSSL_SP_SMALL */
}

/* Shift the result in the high 521 bits down to the bottom.
 *
 * r  A single precision number.
 * a  A single precision number.
 */
static void sp_521_mont_shift_9(sp_digit* r, const sp_digit* a)
{
#ifdef WOLFSSL_SP_SMALL
    int i;
    sp_uint64 n;

    n = a[8] >> 57;
    for (i = 0; i < 8; i++) {
        n += (sp_uint64)a[9 + i] << 1;
        r[i] = n & 0x3ffffffffffffffL;
        n >>= 58;
    }
    n += (sp_uint64)a[17] << 1;
    r[8] = n;
#else
    sp_uint64 n;

    n  = a[8] >> 57;
    n += (sp_uint64)a[ 9] << 1U; r[ 0] = n & 0x3ffffffffffffffUL; n >>= 58U;
    n += (sp_uint64)a[10] << 1U; r[ 1] = n & 0x3ffffffffffffffUL; n >>= 58U;
    n += (sp_uint64)a[11] << 1U; r[ 2] = n & 0x3ffffffffffffffUL; n >>= 58U;
    n += (sp_uint64)a[12] << 1U; r[ 3] = n & 0x3ffffffffffffffUL; n >>= 58U;
    n += (sp_uint64)a[13] << 1U; r[ 4] = n & 0x3ffffffffffffffUL; n >>= 58U;
    n += (sp_uint64)a[14] << 1U; r[ 5] = n & 0x3ffffffffffffffUL; n >>= 58U;
    n += (sp_uint64)a[15] << 1U; r[ 6] = n & 0x3ffffffffffffffUL; n >>= 58U;
    n += (sp_uint64)a[16] << 1U; r[ 7] = n & 0x3ffffffffffffffUL; n >>= 58U;
    n += (sp_uint64)a[17] << 1U; r[ 8] = n;
#endif /* WOLFSSL_SP_SMALL */
    XMEMSET(&r[9], 0, sizeof(*r) * 9U);
}

/* Reduce the number back to 521 bits using Montgomery reduction.
 *
 * a   A single precision number to reduce in place.
 * m   The single precision number representing the modulus.
 * mp  The digit representing the negative inverse of m mod 2^n.
 */
static void sp_521_mont_reduce_order_9(sp_digit* a, const sp_digit* m, sp_digit mp)
{
    int i;
    sp_digit mu;
    sp_digit over;

    sp_521_norm_9(a + 9);

    for (i=0; i<8; i++) {
        mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x3ffffffffffffffL;
        sp_521_mul_add_9(a+i, m, mu);
        a[i+1] += a[i] >> 58;
    }
    mu = ((sp_uint64)a[i] * (sp_uint64)mp) & 0x1ffffffffffffffL;
    sp_521_mul_add_9(a+i, m, mu);
    a[i+1] += a[i] >> 58;
    a[i] &= 0x3ffffffffffffffL;
    sp_521_mont_shift_9(a, a);
    over = a[8] >> 57;
    sp_521_cond_sub_9(a, a, m, ~((over - 1) >> 63));
    sp_521_norm_9(a);
}

/* Multiply two Montgomery form numbers mod the modulus (prime).
 * (r = a * b mod m)
 *
 * r   Result of multiplication.
 * a   First number to multiply in Montgomery form.
 * b   Second number to multiply in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_521_mont_mul_9(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit* m, sp_digit mp)
{
    sp_521_mul_9(r, a, b);
    sp_521_mont_reduce_9(r, m, mp);
}

/* Square the Montgomery form number. (r = a * a mod m)
 *
 * r   Result of squaring.
 * a   Number to square in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_521_mont_sqr_9(sp_digit* r, const sp_digit* a,
        const sp_digit* m, sp_digit mp)
{
    sp_521_sqr_9(r, a);
    sp_521_mont_reduce_9(r, m, mp);
}

#ifndef WOLFSSL_SP_SMALL
/* Square the Montgomery form number a number of times. (r = a ^ n mod m)
 *
 * r   Result of squaring.
 * a   Number to square in Montgomery form.
 * n   Number of times to square.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_521_mont_sqr_n_9(sp_digit* r,
    const sp_digit* a, int n, const sp_digit* m, sp_digit mp)
{
    sp_521_mont_sqr_9(r, a, m, mp);
    for (; n > 1; n--) {
        sp_521_mont_sqr_9(r, r, m, mp);
    }
}

#endif /* !WOLFSSL_SP_SMALL */
#ifdef WOLFSSL_SP_SMALL
/* Mod-2 for the P521 curve. */
static const uint64_t p521_mod_minus_2[9] = {
    0xfffffffffffffffdU,0xffffffffffffffffU,0xffffffffffffffffU,
    0xffffffffffffffffU,0xffffffffffffffffU,0xffffffffffffffffU,
    0xffffffffffffffffU,0xffffffffffffffffU,0x00000000000001ffU
};
#endif /* !WOLFSSL_SP_SMALL */

/* Invert the number, in Montgomery form, modulo the modulus (prime) of the
 * P521 curve. (r = 1 / a mod m)
 *
 * r   Inverse result.
 * a   Number to invert.
 * td  Temporary data.
 */
static void sp_521_mont_inv_9(sp_digit* r, const sp_digit* a, sp_digit* td)
{
#ifdef WOLFSSL_SP_SMALL
    sp_digit* t = td;
    int i;

    XMEMCPY(t, a, sizeof(sp_digit) * 9);
    for (i=519; i>=0; i--) {
        sp_521_mont_sqr_9(t, t, p521_mod, p521_mp_mod);
        if (p521_mod_minus_2[i / 64] & ((sp_digit)1 << (i % 64)))
            sp_521_mont_mul_9(t, t, a, p521_mod, p521_mp_mod);
    }
    XMEMCPY(r, t, sizeof(sp_digit) * 9);
#else
    sp_digit* t1 = td;
    sp_digit* t2 = td + 2 * 9;
    sp_digit* t3 = td + 4 * 9;

    /* 0x2 */
    sp_521_mont_sqr_9(t1, a, p521_mod, p521_mp_mod);
    /* 0x3 */
    sp_521_mont_mul_9(t2, t1, a, p521_mod, p521_mp_mod);
    /* 0x6 */
    sp_521_mont_sqr_9(t1, t2, p521_mod, p521_mp_mod);
    /* 0x7 */
    sp_521_mont_mul_9(t3, t1, a, p521_mod, p521_mp_mod);
    /* 0xc */
    sp_521_mont_sqr_n_9(t1, t2, 2, p521_mod, p521_mp_mod);
    /* 0xf */
    sp_521_mont_mul_9(t2, t2, t1, p521_mod, p521_mp_mod);
    /* 0x78 */
    sp_521_mont_sqr_n_9(t1, t2, 3, p521_mod, p521_mp_mod);
    /* 0x7f */
    sp_521_mont_mul_9(t3, t3, t1, p521_mod, p521_mp_mod);
    /* 0xf0 */
    sp_521_mont_sqr_n_9(t1, t2, 4, p521_mod, p521_mp_mod);
    /* 0xff */
    sp_521_mont_mul_9(t2, t2, t1, p521_mod, p521_mp_mod);
    /* 0xff00 */
    sp_521_mont_sqr_n_9(t1, t2, 8, p521_mod, p521_mp_mod);
    /* 0xffff */
    sp_521_mont_mul_9(t2, t2, t1, p521_mod, p521_mp_mod);
    /* 0xffff0000 */
    sp_521_mont_sqr_n_9(t1, t2, 16, p521_mod, p521_mp_mod);
    /* 0xffffffff */
    sp_521_mont_mul_9(t2, t2, t1, p521_mod, p521_mp_mod);
    /* 0xffffffff00000000 */
    sp_521_mont_sqr_n_9(t1, t2, 32, p521_mod, p521_mp_mod);
    /* 0xffffffffffffffff */
    sp_521_mont_mul_9(t2, t2, t1, p521_mod, p521_mp_mod);
    /* 0xffffffffffffffff0000000000000000 */
    sp_521_mont_sqr_n_9(t1, t2, 64, p521_mod, p521_mp_mod);
    /* 0xffffffffffffffffffffffffffffffff */
    sp_521_mont_mul_9(t2, t2, t1, p521_mod, p521_mp_mod);
    /* 0xffffffffffffffffffffffffffffffff00000000000000000000000000000000 */
    sp_521_mont_sqr_n_9(t1, t2, 128, p521_mod, p521_mp_mod);
    /* 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
    sp_521_mont_mul_9(t2, t2, t1, p521_mod, p521_mp_mod);
    /* 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000 */
    sp_521_mont_sqr_n_9(t1, t2, 256, p521_mod, p521_mp_mod);
    /* 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
    sp_521_mont_mul_9(t2, t2, t1, p521_mod, p521_mp_mod);
    /* 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff80 */
    sp_521_mont_sqr_n_9(t1, t2, 7, p521_mod, p521_mp_mod);
    /* 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff */
    sp_521_mont_mul_9(t2, t3, t1, p521_mod, p521_mp_mod);
    /* 0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc */
    sp_521_mont_sqr_n_9(t1, t2, 2, p521_mod, p521_mp_mod);
    /* 0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd */
    sp_521_mont_mul_9(r, t1, a, p521_mod, p521_mp_mod);

#endif /* WOLFSSL_SP_SMALL */
}

/* Map the Montgomery form projective coordinate point to an affine point.
 *
 * r  Resulting affine coordinate point.
 * p  Montgomery form projective coordinate point.
 * t  Temporary ordinate data.
 */
static void sp_521_map_9(sp_point_521* r, const sp_point_521* p,
    sp_digit* t)
{
    sp_digit* t1 = t;
    sp_digit* t2 = t + 2*9;
    sp_int64 n;

    sp_521_mont_inv_9(t1, p->z, t + 2*9);

    sp_521_mont_sqr_9(t2, t1, p521_mod, p521_mp_mod);
    sp_521_mont_mul_9(t1, t2, t1, p521_mod, p521_mp_mod);

    /* x /= z^2 */
    sp_521_mont_mul_9(r->x, p->x, t2, p521_mod, p521_mp_mod);
    XMEMSET(r->x + 9, 0, sizeof(sp_digit) * 9U);
    sp_521_mont_reduce_9(r->x, p521_mod, p521_mp_mod);
    /* Reduce x to less than modulus */
    n = sp_521_cmp_9(r->x, p521_mod);
    sp_521_cond_sub_9(r->x, r->x, p521_mod, ~(n >> 57));
    sp_521_norm_9(r->x);

    /* y /= z^3 */
    sp_521_mont_mul_9(r->y, p->y, t1, p521_mod, p521_mp_mod);
    XMEMSET(r->y + 9, 0, sizeof(sp_digit) * 9U);
    sp_521_mont_reduce_9(r->y, p521_mod, p521_mp_mod);
    /* Reduce y to less than modulus */
    n = sp_521_cmp_9(r->y, p521_mod);
    sp_521_cond_sub_9(r->y, r->y, p521_mod, ~(n >> 57));
    sp_521_norm_9(r->y);

    XMEMSET(r->z, 0, sizeof(r->z) / 2);
    r->z[0] = 1;
}

/* Add two Montgomery form numbers (r = a + b % m).
 *
 * r   Result of addition.
 * a   First number to add in Montgomery form.
 * b   Second number to add in Montgomery form.
 * m   Modulus (prime).
 */
static void sp_521_mont_add_9(sp_digit* r, const sp_digit* a, const sp_digit* b,
        const sp_digit* m)
{
    sp_digit over;
    (void)sp_521_add_9(r, a, b);
    sp_521_norm_9(r);
    over = r[8] >> 57;
    sp_521_cond_sub_9(r, r, m, ~((over - 1) >> 63));
    sp_521_norm_9(r);
}

/* Double a Montgomery form number (r = a + a % m).
 *
 * r   Result of doubling.
 * a   Number to double in Montgomery form.
 * m   Modulus (prime).
 */
static void sp_521_mont_dbl_9(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    sp_digit over;
    (void)sp_521_add_9(r, a, a);
    sp_521_norm_9(r);
    over = r[8] >> 57;
    sp_521_cond_sub_9(r, r, m, ~((over - 1) >> 63));
    sp_521_norm_9(r);
}

/* Triple a Montgomery form number (r = a + a + a % m).
 *
 * r   Result of Tripling.
 * a   Number to triple in Montgomery form.
 * m   Modulus (prime).
 */
static void sp_521_mont_tpl_9(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    sp_digit over;
    (void)sp_521_add_9(r, a, a);
    sp_521_norm_9(r);
    over = r[8] >> 57;
    sp_521_cond_sub_9(r, r, m, ~((over - 1) >> 63));
    sp_521_norm_9(r);
    (void)sp_521_add_9(r, r, a);
    sp_521_norm_9(r);
    over = r[8] >> 57;
    sp_521_cond_sub_9(r, r, m, ~((over - 1) >> 63));
    sp_521_norm_9(r);
}

#ifdef WOLFSSL_SP_SMALL
/* Conditionally add a and b using the mask m.
 * m is -1 to add and 0 when not.
 *
 * r  A single precision number representing conditional add result.
 * a  A single precision number to add with.
 * b  A single precision number to add.
 * m  Mask value to apply.
 */
static void sp_521_cond_add_9(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 9; i++) {
        r[i] = a[i] + (b[i] & m);
    }
}
#endif /* WOLFSSL_SP_SMALL */

#ifndef WOLFSSL_SP_SMALL
/* Conditionally add a and b using the mask m.
 * m is -1 to add and 0 when not.
 *
 * r  A single precision number representing conditional add result.
 * a  A single precision number to add with.
 * b  A single precision number to add.
 * m  Mask value to apply.
 */
static void sp_521_cond_add_9(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    r[ 0] = a[ 0] + (b[ 0] & m);
    r[ 1] = a[ 1] + (b[ 1] & m);
    r[ 2] = a[ 2] + (b[ 2] & m);
    r[ 3] = a[ 3] + (b[ 3] & m);
    r[ 4] = a[ 4] + (b[ 4] & m);
    r[ 5] = a[ 5] + (b[ 5] & m);
    r[ 6] = a[ 6] + (b[ 6] & m);
    r[ 7] = a[ 7] + (b[ 7] & m);
    r[ 8] = a[ 8] + (b[ 8] & m);
}
#endif /* !WOLFSSL_SP_SMALL */

/* Subtract two Montgomery form numbers (r = a - b % m).
 *
 * r   Result of subtration.
 * a   Number to subtract from in Montgomery form.
 * b   Number to subtract with in Montgomery form.
 * m   Modulus (prime).
 */
static void sp_521_mont_sub_9(sp_digit* r, const sp_digit* a, const sp_digit* b,
        const sp_digit* m)
{
    (void)sp_521_sub_9(r, a, b);
    sp_521_norm_9(r);
    sp_521_cond_add_9(r, r, m, r[8] >> 57);
    sp_521_norm_9(r);
}

/* Shift number left one bit.
 * Bottom bit is lost.
 *
 * r  Result of shift.
 * a  Number to shift.
 */
SP_NOINLINE static void sp_521_rshift1_9(sp_digit* r, const sp_digit* a)
{
#ifdef WOLFSSL_SP_SMALL
    int i;

    for (i=0; i<8; i++) {
        r[i] = (a[i] >> 1) + ((a[i + 1] << 57) & 0x3ffffffffffffffL);
    }
#else
    r[0] = (a[0] >> 1) + ((a[1] << 57) & 0x3ffffffffffffffL);
    r[1] = (a[1] >> 1) + ((a[2] << 57) & 0x3ffffffffffffffL);
    r[2] = (a[2] >> 1) + ((a[3] << 57) & 0x3ffffffffffffffL);
    r[3] = (a[3] >> 1) + ((a[4] << 57) & 0x3ffffffffffffffL);
    r[4] = (a[4] >> 1) + ((a[5] << 57) & 0x3ffffffffffffffL);
    r[5] = (a[5] >> 1) + ((a[6] << 57) & 0x3ffffffffffffffL);
    r[6] = (a[6] >> 1) + ((a[7] << 57) & 0x3ffffffffffffffL);
    r[7] = (a[7] >> 1) + ((a[8] << 57) & 0x3ffffffffffffffL);
#endif
    r[8] = a[8] >> 1;
}

/* Divide the number by 2 mod the modulus (prime). (r = a / 2 % m)
 *
 * r  Result of division by 2.
 * a  Number to divide.
 * m  Modulus (prime).
 */
static void sp_521_mont_div2_9(sp_digit* r, const sp_digit* a,
        const sp_digit* m)
{
    sp_521_cond_add_9(r, a, m, 0 - (a[0] & 1));
    sp_521_norm_9(r);
    sp_521_rshift1_9(r, r);
}

/* Double the Montgomery form projective point p.
 *
 * r  Result of doubling point.
 * p  Point to double.
 * t  Temporary ordinate data.
 */
static void sp_521_proj_point_dbl_9(sp_point_521* r, const sp_point_521* p,
    sp_digit* t)
{
    sp_digit* t1 = t;
    sp_digit* t2 = t + 2*9;
    sp_digit* x;
    sp_digit* y;
    sp_digit* z;

    x = r->x;
    y = r->y;
    z = r->z;
    /* Put infinity into result. */
    if (r != p) {
        r->infinity = p->infinity;
    }

    /* T1 = Z * Z */
    sp_521_mont_sqr_9(t1, p->z, p521_mod, p521_mp_mod);
    /* Z = Y * Z */
    sp_521_mont_mul_9(z, p->y, p->z, p521_mod, p521_mp_mod);
    /* Z = 2Z */
    sp_521_mont_dbl_9(z, z, p521_mod);
    /* T2 = X - T1 */
    sp_521_mont_sub_9(t2, p->x, t1, p521_mod);
    /* T1 = X + T1 */
    sp_521_mont_add_9(t1, p->x, t1, p521_mod);
    /* T2 = T1 * T2 */
    sp_521_mont_mul_9(t2, t1, t2, p521_mod, p521_mp_mod);
    /* T1 = 3T2 */
    sp_521_mont_tpl_9(t1, t2, p521_mod);
    /* Y = 2Y */
    sp_521_mont_dbl_9(y, p->y, p521_mod);
    /* Y = Y * Y */
    sp_521_mont_sqr_9(y, y, p521_mod, p521_mp_mod);
    /* T2 = Y * Y */
    sp_521_mont_sqr_9(t2, y, p521_mod, p521_mp_mod);
    /* T2 = T2/2 */
    sp_521_mont_div2_9(t2, t2, p521_mod);
    /* Y = Y * X */
    sp_521_mont_mul_9(y, y, p->x, p521_mod, p521_mp_mod);
    /* X = T1 * T1 */
    sp_521_mont_sqr_9(x, t1, p521_mod, p521_mp_mod);
    /* X = X - Y */
    sp_521_mont_sub_9(x, x, y, p521_mod);
    /* X = X - Y */
    sp_521_mont_sub_9(x, x, y, p521_mod);
    /* Y = Y - X */
    sp_521_mont_sub_9(y, y, x, p521_mod);
    /* Y = Y * T1 */
    sp_521_mont_mul_9(y, y, t1, p521_mod, p521_mp_mod);
    /* Y = Y - T2 */
    sp_521_mont_sub_9(y, y, t2, p521_mod);
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_521_proj_point_dbl_9_ctx {
    int state;
    sp_digit* t1;
    sp_digit* t2;
    sp_digit* x;
    sp_digit* y;
    sp_digit* z;
} sp_521_proj_point_dbl_9_ctx;

/* Double the Montgomery form projective point p.
 *
 * r  Result of doubling point.
 * p  Point to double.
 * t  Temporary ordinate data.
 */
static int sp_521_proj_point_dbl_9_nb(sp_ecc_ctx_t* sp_ctx, sp_point_521* r,
        const sp_point_521* p, sp_digit* t)
{
    int err = FP_WOULDBLOCK;
    sp_521_proj_point_dbl_9_ctx* ctx = (sp_521_proj_point_dbl_9_ctx*)sp_ctx->data;

    typedef char ctx_size_test[sizeof(sp_521_proj_point_dbl_9_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    switch (ctx->state) {
    case 0:
        ctx->t1 = t;
        ctx->t2 = t + 2*9;
        ctx->x = r->x;
        ctx->y = r->y;
        ctx->z = r->z;

        /* Put infinity into result. */
        if (r != p) {
            r->infinity = p->infinity;
        }
        ctx->state = 1;
        break;
    case 1:
        /* T1 = Z * Z */
        sp_521_mont_sqr_9(ctx->t1, p->z, p521_mod, p521_mp_mod);
        ctx->state = 2;
        break;
    case 2:
        /* Z = Y * Z */
        sp_521_mont_mul_9(ctx->z, p->y, p->z, p521_mod, p521_mp_mod);
        ctx->state = 3;
        break;
    case 3:
        /* Z = 2Z */
        sp_521_mont_dbl_9(ctx->z, ctx->z, p521_mod);
        ctx->state = 4;
        break;
    case 4:
        /* T2 = X - T1 */
        sp_521_mont_sub_9(ctx->t2, p->x, ctx->t1, p521_mod);
        ctx->state = 5;
        break;
    case 5:
        /* T1 = X + T1 */
        sp_521_mont_add_9(ctx->t1, p->x, ctx->t1, p521_mod);
        ctx->state = 6;
        break;
    case 6:
        /* T2 = T1 * T2 */
        sp_521_mont_mul_9(ctx->t2, ctx->t1, ctx->t2, p521_mod, p521_mp_mod);
        ctx->state = 7;
        break;
    case 7:
        /* T1 = 3T2 */
        sp_521_mont_tpl_9(ctx->t1, ctx->t2, p521_mod);
        ctx->state = 8;
        break;
    case 8:
        /* Y = 2Y */
        sp_521_mont_dbl_9(ctx->y, p->y, p521_mod);
        ctx->state = 9;
        break;
    case 9:
        /* Y = Y * Y */
        sp_521_mont_sqr_9(ctx->y, ctx->y, p521_mod, p521_mp_mod);
        ctx->state = 10;
        break;
    case 10:
        /* T2 = Y * Y */
        sp_521_mont_sqr_9(ctx->t2, ctx->y, p521_mod, p521_mp_mod);
        ctx->state = 11;
        break;
    case 11:
        /* T2 = T2/2 */
        sp_521_mont_div2_9(ctx->t2, ctx->t2, p521_mod);
        ctx->state = 12;
        break;
    case 12:
        /* Y = Y * X */
        sp_521_mont_mul_9(ctx->y, ctx->y, p->x, p521_mod, p521_mp_mod);
        ctx->state = 13;
        break;
    case 13:
        /* X = T1 * T1 */
        sp_521_mont_sqr_9(ctx->x, ctx->t1, p521_mod, p521_mp_mod);
        ctx->state = 14;
        break;
    case 14:
        /* X = X - Y */
        sp_521_mont_sub_9(ctx->x, ctx->x, ctx->y, p521_mod);
        ctx->state = 15;
        break;
    case 15:
        /* X = X - Y */
        sp_521_mont_sub_9(ctx->x, ctx->x, ctx->y, p521_mod);
        ctx->state = 16;
        break;
    case 16:
        /* Y = Y - X */
        sp_521_mont_sub_9(ctx->y, ctx->y, ctx->x, p521_mod);
        ctx->state = 17;
        break;
    case 17:
        /* Y = Y * T1 */
        sp_521_mont_mul_9(ctx->y, ctx->y, ctx->t1, p521_mod, p521_mp_mod);
        ctx->state = 18;
        break;
    case 18:
        /* Y = Y - T2 */
        sp_521_mont_sub_9(ctx->y, ctx->y, ctx->t2, p521_mod);
        ctx->state = 19;
        /* fall-through */
    case 19:
        err = MP_OKAY;
        break;
    }

    if (err == MP_OKAY && ctx->state != 19) {
        err = FP_WOULDBLOCK;
    }

    return err;
}
#endif /* WOLFSSL_SP_NONBLOCK */
/* Compare two numbers to determine if they are equal.
 * Constant time implementation.
 *
 * a  First number to compare.
 * b  Second number to compare.
 * returns 1 when equal and 0 otherwise.
 */
static int sp_521_cmp_equal_9(const sp_digit* a, const sp_digit* b)
{
    return ((a[0] ^ b[0]) | (a[1] ^ b[1]) | (a[2] ^ b[2]) |
            (a[3] ^ b[3]) | (a[4] ^ b[4]) | (a[5] ^ b[5]) |
            (a[6] ^ b[6]) | (a[7] ^ b[7]) | (a[8] ^ b[8])) == 0;
}

/* Returns 1 if the number of zero.
 * Implementation is constant time.
 *
 * a  Number to check.
 * returns 1 if the number is zero and 0 otherwise.
 */
static int sp_521_iszero_9(const sp_digit* a)
{
    return (a[0] | a[1] | a[2] | a[3] | a[4] | a[5] | a[6] | a[7] |
            a[8]) == 0;
}


/* Add two Montgomery form projective points.
 *
 * r  Result of addition.
 * p  First point to add.
 * q  Second point to add.
 * t  Temporary ordinate data.
 */
static void sp_521_proj_point_add_9(sp_point_521* r,
        const sp_point_521* p, const sp_point_521* q, sp_digit* t)
{
    sp_digit* t6 = t;
    sp_digit* t1 = t + 2*9;
    sp_digit* t2 = t + 4*9;
    sp_digit* t3 = t + 6*9;
    sp_digit* t4 = t + 8*9;
    sp_digit* t5 = t + 10*9;

    /* U1 = X1*Z2^2 */
    sp_521_mont_sqr_9(t1, q->z, p521_mod, p521_mp_mod);
    sp_521_mont_mul_9(t3, t1, q->z, p521_mod, p521_mp_mod);
    sp_521_mont_mul_9(t1, t1, p->x, p521_mod, p521_mp_mod);
    /* U2 = X2*Z1^2 */
    sp_521_mont_sqr_9(t2, p->z, p521_mod, p521_mp_mod);
    sp_521_mont_mul_9(t4, t2, p->z, p521_mod, p521_mp_mod);
    sp_521_mont_mul_9(t2, t2, q->x, p521_mod, p521_mp_mod);
    /* S1 = Y1*Z2^3 */
    sp_521_mont_mul_9(t3, t3, p->y, p521_mod, p521_mp_mod);
    /* S2 = Y2*Z1^3 */
    sp_521_mont_mul_9(t4, t4, q->y, p521_mod, p521_mp_mod);

    /* Check double */
    if ((~p->infinity) & (~q->infinity) &
            sp_521_cmp_equal_9(t2, t1) &
            sp_521_cmp_equal_9(t4, t3)) {
        sp_521_proj_point_dbl_9(r, p, t);
    }
    else {
        sp_digit* x = t6;
        sp_digit* y = t1;
        sp_digit* z = t2;

        /* H = U2 - U1 */
        sp_521_mont_sub_9(t2, t2, t1, p521_mod);
        /* R = S2 - S1 */
        sp_521_mont_sub_9(t4, t4, t3, p521_mod);
        /* X3 = R^2 - H^3 - 2*U1*H^2 */
        sp_521_mont_sqr_9(t5, t2, p521_mod, p521_mp_mod);
        sp_521_mont_mul_9(y, t1, t5, p521_mod, p521_mp_mod);
        sp_521_mont_mul_9(t5, t5, t2, p521_mod, p521_mp_mod);
        /* Z3 = H*Z1*Z2 */
        sp_521_mont_mul_9(z, p->z, t2, p521_mod, p521_mp_mod);
        sp_521_mont_mul_9(z, z, q->z, p521_mod, p521_mp_mod);
        sp_521_mont_sqr_9(x, t4, p521_mod, p521_mp_mod);
        sp_521_mont_sub_9(x, x, t5, p521_mod);
        sp_521_mont_mul_9(t5, t5, t3, p521_mod, p521_mp_mod);
        sp_521_mont_dbl_9(t3, y, p521_mod);
        sp_521_mont_sub_9(x, x, t3, p521_mod);
        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
        sp_521_mont_sub_9(y, y, x, p521_mod);
        sp_521_mont_mul_9(y, y, t4, p521_mod, p521_mp_mod);
        sp_521_mont_sub_9(y, y, t5, p521_mod);
        {
            int i;
            sp_digit maskp = 0 - (q->infinity & (!p->infinity));
            sp_digit maskq = 0 - (p->infinity & (!q->infinity));
            sp_digit maskt = ~(maskp | maskq);
            sp_digit inf = (sp_digit)(p->infinity & q->infinity);

            for (i = 0; i < 9; i++) {
                r->x[i] = (p->x[i] & maskp) | (q->x[i] & maskq) |
                          (x[i] & maskt);
            }
            for (i = 0; i < 9; i++) {
                r->y[i] = (p->y[i] & maskp) | (q->y[i] & maskq) |
                          (y[i] & maskt);
            }
            for (i = 0; i < 9; i++) {
                r->z[i] = (p->z[i] & maskp) | (q->z[i] & maskq) |
                          (z[i] & maskt);
            }
            r->z[0] |= inf;
            r->infinity = (word32)inf;
        }
    }
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_521_proj_point_add_9_ctx {
    int state;
    sp_521_proj_point_dbl_9_ctx dbl_ctx;
    const sp_point_521* ap[2];
    sp_point_521* rp[2];
    sp_digit* t1;
    sp_digit* t2;
    sp_digit* t3;
    sp_digit* t4;
    sp_digit* t5;
    sp_digit* t6;
    sp_digit* x;
    sp_digit* y;
    sp_digit* z;
} sp_521_proj_point_add_9_ctx;

/* Add two Montgomery form projective points.
 *
 * r  Result of addition.
 * p  First point to add.
 * q  Second point to add.
 * t  Temporary ordinate data.
 */
static int sp_521_proj_point_add_9_nb(sp_ecc_ctx_t* sp_ctx, sp_point_521* r,
    const sp_point_521* p, const sp_point_521* q, sp_digit* t)
{
    int err = FP_WOULDBLOCK;
    sp_521_proj_point_add_9_ctx* ctx = (sp_521_proj_point_add_9_ctx*)sp_ctx->data;

    /* Ensure only the first point is the same as the result. */
    if (q == r) {
        const sp_point_521* a = p;
        p = q;
        q = a;
    }

    typedef char ctx_size_test[sizeof(sp_521_proj_point_add_9_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    switch (ctx->state) {
    case 0: /* INIT */
        ctx->t6 = t;
        ctx->t1 = t + 2*9;
        ctx->t2 = t + 4*9;
        ctx->t3 = t + 6*9;
        ctx->t4 = t + 8*9;
        ctx->t5 = t + 10*9;
        ctx->x = ctx->t6;
        ctx->y = ctx->t1;
        ctx->z = ctx->t2;

        ctx->state = 1;
        break;
    case 1:
        /* U1 = X1*Z2^2 */
        sp_521_mont_sqr_9(ctx->t1, q->z, p521_mod, p521_mp_mod);
        ctx->state = 2;
        break;
    case 2:
        sp_521_mont_mul_9(ctx->t3, ctx->t1, q->z, p521_mod, p521_mp_mod);
        ctx->state = 3;
        break;
    case 3:
        sp_521_mont_mul_9(ctx->t1, ctx->t1, p->x, p521_mod, p521_mp_mod);
        ctx->state = 4;
        break;
    case 4:
        /* U2 = X2*Z1^2 */
        sp_521_mont_sqr_9(ctx->t2, p->z, p521_mod, p521_mp_mod);
        ctx->state = 5;
        break;
    case 5:
        sp_521_mont_mul_9(ctx->t4, ctx->t2, p->z, p521_mod, p521_mp_mod);
        ctx->state = 6;
        break;
    case 6:
        sp_521_mont_mul_9(ctx->t2, ctx->t2, q->x, p521_mod, p521_mp_mod);
        ctx->state = 7;
        break;
    case 7:
        /* S1 = Y1*Z2^3 */
        sp_521_mont_mul_9(ctx->t3, ctx->t3, p->y, p521_mod, p521_mp_mod);
        ctx->state = 8;
        break;
    case 8:
        /* S2 = Y2*Z1^3 */
        sp_521_mont_mul_9(ctx->t4, ctx->t4, q->y, p521_mod, p521_mp_mod);
        ctx->state = 9;
        break;
    case 9:
        /* Check double */
        if ((~p->infinity) & (~q->infinity) &
                sp_521_cmp_equal_9(ctx->t2, ctx->t1) &
                sp_521_cmp_equal_9(ctx->t4, ctx->t3)) {
            XMEMSET(&ctx->dbl_ctx, 0, sizeof(ctx->dbl_ctx));
            sp_521_proj_point_dbl_9(r, p, t);
            ctx->state = 25;
        }
        else {
            ctx->state = 10;
        }
        break;
    case 10:
        /* H = U2 - U1 */
        sp_521_mont_sub_9(ctx->t2, ctx->t2, ctx->t1, p521_mod);
        ctx->state = 11;
        break;
    case 11:
        /* R = S2 - S1 */
        sp_521_mont_sub_9(ctx->t4, ctx->t4, ctx->t3, p521_mod);
        ctx->state = 12;
        break;
    case 12:
        /* X3 = R^2 - H^3 - 2*U1*H^2 */
        sp_521_mont_sqr_9(ctx->t5, ctx->t2, p521_mod, p521_mp_mod);
        ctx->state = 13;
        break;
    case 13:
        sp_521_mont_mul_9(ctx->y, ctx->t1, ctx->t5, p521_mod, p521_mp_mod);
        ctx->state = 14;
        break;
    case 14:
        sp_521_mont_mul_9(ctx->t5, ctx->t5, ctx->t2, p521_mod, p521_mp_mod);
        ctx->state = 15;
        break;
    case 15:
        /* Z3 = H*Z1*Z2 */
        sp_521_mont_mul_9(ctx->z, p->z, ctx->t2, p521_mod, p521_mp_mod);
        ctx->state = 16;
        break;
    case 16:
        sp_521_mont_mul_9(ctx->z, ctx->z, q->z, p521_mod, p521_mp_mod);
        ctx->state = 17;
        break;
    case 17:
        sp_521_mont_sqr_9(ctx->x, ctx->t4, p521_mod, p521_mp_mod);
        ctx->state = 18;
        break;
    case 18:
        sp_521_mont_sub_9(ctx->x, ctx->x, ctx->t5, p521_mod);
        ctx->state = 19;
        break;
    case 19:
        sp_521_mont_mul_9(ctx->t5, ctx->t5, ctx->t3, p521_mod, p521_mp_mod);
        ctx->state = 20;
        break;
    case 20:
        sp_521_mont_dbl_9(ctx->t3, ctx->y, p521_mod);
        sp_521_mont_sub_9(ctx->x, ctx->x, ctx->t3, p521_mod);
        ctx->state = 21;
        break;
    case 21:
        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
        sp_521_mont_sub_9(ctx->y, ctx->y, ctx->x, p521_mod);
        ctx->state = 22;
        break;
    case 22:
        sp_521_mont_mul_9(ctx->y, ctx->y, ctx->t4, p521_mod, p521_mp_mod);
        ctx->state = 23;
        break;
    case 23:
        sp_521_mont_sub_9(ctx->y, ctx->y, ctx->t5, p521_mod);
        ctx->state = 24;
        break;
    case 24:
    {
        {
            int i;
            sp_digit maskp = 0 - (q->infinity & (!p->infinity));
            sp_digit maskq = 0 - (p->infinity & (!q->infinity));
            sp_digit maskt = ~(maskp | maskq);
            sp_digit inf = (sp_digit)(p->infinity & q->infinity);

            for (i = 0; i < 9; i++) {
                r->x[i] = (p->x[i] & maskp) | (q->x[i] & maskq) |
                          (ctx->x[i] & maskt);
            }
            for (i = 0; i < 9; i++) {
                r->y[i] = (p->y[i] & maskp) | (q->y[i] & maskq) |
                          (ctx->y[i] & maskt);
            }
            for (i = 0; i < 9; i++) {
                r->z[i] = (p->z[i] & maskp) | (q->z[i] & maskq) |
                          (ctx->z[i] & maskt);
            }
            r->z[0] |= inf;
            r->infinity = (word32)inf;
        }
        ctx->state = 25;
        break;
    }
    case 25:
        err = MP_OKAY;
        break;
    }

    if (err == MP_OKAY && ctx->state != 25) {
        err = FP_WOULDBLOCK;
    }
    return err;
}
#endif /* WOLFSSL_SP_NONBLOCK */

/* Multiply a number by Montgomery normalizer mod modulus (prime).
 *
 * r  The resulting Montgomery form number.
 * a  The number to convert.
 * m  The modulus (prime).
 * returns MEMORY_E when memory allocation fails and MP_OKAY otherwise.
 */
static int sp_521_mod_mul_norm_9(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    (void)m;

    if (r != a) {
        XMEMCPY(r, a, 9 * sizeof(sp_digit));
    }

    return MP_OKAY;
}

#ifdef WOLFSSL_SP_SMALL
/* Multiply the point by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * Small implementation using add and double that is cache attack resistant but
 * allocates memory rather than use large stacks.
 * 521 adds and doubles.
 *
 * r     Resulting point.
 * g     Point to multiply.
 * k     Scalar to multiply by.
 * map   Indicates whether to convert result to affine.
 * ct    Constant time required.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_521_ecc_mulmod_9(sp_point_521* r, const sp_point_521* g,
        const sp_digit* k, int map, int ct, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_521* t = NULL;
    sp_digit* tmp = NULL;
#else
    sp_point_521 t[3];
    sp_digit tmp[2 * 9 * 6];
#endif
    sp_digit n;
    int i;
    int c;
    int y;
    int err = MP_OKAY;

    /* Implementation is constant time. */
    (void)ct;
    (void)heap;

#ifdef WOLFSSL_SP_SMALL_STACK
    t = (sp_point_521*)XMALLOC(sizeof(sp_point_521) * 3, heap,
                                     DYNAMIC_TYPE_ECC);
    if (t == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 9 * 6, heap,
                                 DYNAMIC_TYPE_ECC);
        if (tmp == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        XMEMSET(t, 0, sizeof(sp_point_521) * 3);

        /* t[0] = {0, 0, 1} * norm */
        t[0].infinity = 1;
        /* t[1] = {g->x, g->y, g->z} * norm */
        err = sp_521_mod_mul_norm_9(t[1].x, g->x, p521_mod);
    }
    if (err == MP_OKAY)
        err = sp_521_mod_mul_norm_9(t[1].y, g->y, p521_mod);
    if (err == MP_OKAY)
        err = sp_521_mod_mul_norm_9(t[1].z, g->z, p521_mod);

    if (err == MP_OKAY) {
        i = 8;
        c = 57;
        n = k[i--] << (58 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1)
                    break;

                n = k[i--];
                c = 58;
            }

            y = (n >> 57) & 1;
            n <<= 1;

            sp_521_proj_point_add_9(&t[y^1], &t[0], &t[1], tmp);

            XMEMCPY(&t[2], (void*)(((size_t)&t[0] & addr_mask[y^1]) +
                                   ((size_t)&t[1] & addr_mask[y])),
                    sizeof(sp_point_521));
            sp_521_proj_point_dbl_9(&t[2], &t[2], tmp);
            XMEMCPY((void*)(((size_t)&t[0] & addr_mask[y^1]) +
                            ((size_t)&t[1] & addr_mask[y])), &t[2],
                    sizeof(sp_point_521));
        }

        if (map != 0) {
            sp_521_map_9(r, &t[0], tmp);
        }
        else {
            XMEMCPY(r, &t[0], sizeof(sp_point_521));
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (tmp != NULL)
#endif
    {
        ForceZero(tmp, sizeof(sp_digit) * 2 * 9 * 6);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
    #endif
    }
#ifdef WOLFSSL_SP_SMALL_STACK
    if (t != NULL)
#endif
    {
        ForceZero(t, sizeof(sp_point_521) * 3);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(t, heap, DYNAMIC_TYPE_ECC);
    #endif
    }

    return err;
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_521_ecc_mulmod_9_ctx {
    int state;
    union {
        sp_521_proj_point_dbl_9_ctx dbl_ctx;
        sp_521_proj_point_add_9_ctx add_ctx;
    };
    sp_point_521 t[3];
    sp_digit tmp[2 * 9 * 6];
    sp_digit n;
    int i;
    int c;
    int y;
} sp_521_ecc_mulmod_9_ctx;

static int sp_521_ecc_mulmod_9_nb(sp_ecc_ctx_t* sp_ctx, sp_point_521* r,
    const sp_point_521* g, const sp_digit* k, int map, int ct, void* heap)
{
    int err = FP_WOULDBLOCK;
    sp_521_ecc_mulmod_9_ctx* ctx = (sp_521_ecc_mulmod_9_ctx*)sp_ctx->data;

    typedef char ctx_size_test[sizeof(sp_521_ecc_mulmod_9_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    /* Implementation is constant time. */
    (void)ct;

    switch (ctx->state) {
    case 0: /* INIT */
        XMEMSET(ctx->t, 0, sizeof(sp_point_521) * 3);
        ctx->i = 8;
        ctx->c = 57;
        ctx->n = k[ctx->i--] << (58 - ctx->c);

        /* t[0] = {0, 0, 1} * norm */
        ctx->t[0].infinity = 1;
        ctx->state = 1;
        break;
    case 1: /* T1X */
        /* t[1] = {g->x, g->y, g->z} * norm */
        err = sp_521_mod_mul_norm_9(ctx->t[1].x, g->x, p521_mod);
        ctx->state = 2;
        break;
    case 2: /* T1Y */
        err = sp_521_mod_mul_norm_9(ctx->t[1].y, g->y, p521_mod);
        ctx->state = 3;
        break;
    case 3: /* T1Z */
        err = sp_521_mod_mul_norm_9(ctx->t[1].z, g->z, p521_mod);
        ctx->state = 4;
        break;
    case 4: /* ADDPREP */
        if (ctx->c == 0) {
            if (ctx->i == -1) {
                ctx->state = 7;
                break;
            }

            ctx->n = k[ctx->i--];
            ctx->c = 58;
        }
        ctx->y = (ctx->n >> 57) & 1;
        ctx->n <<= 1;
        XMEMSET(&ctx->add_ctx, 0, sizeof(ctx->add_ctx));
        ctx->state = 5;
        break;
    case 5: /* ADD */
        err = sp_521_proj_point_add_9_nb((sp_ecc_ctx_t*)&ctx->add_ctx,
            &ctx->t[ctx->y^1], &ctx->t[0], &ctx->t[1], ctx->tmp);
        if (err == MP_OKAY) {
            XMEMCPY(&ctx->t[2], (void*)(((size_t)&ctx->t[0] & addr_mask[ctx->y^1]) +
                                        ((size_t)&ctx->t[1] & addr_mask[ctx->y])),
                    sizeof(sp_point_521));
            XMEMSET(&ctx->dbl_ctx, 0, sizeof(ctx->dbl_ctx));
            ctx->state = 6;
        }
        break;
    case 6: /* DBL */
        err = sp_521_proj_point_dbl_9_nb((sp_ecc_ctx_t*)&ctx->dbl_ctx, &ctx->t[2],
            &ctx->t[2], ctx->tmp);
        if (err == MP_OKAY) {
            XMEMCPY((void*)(((size_t)&ctx->t[0] & addr_mask[ctx->y^1]) +
                            ((size_t)&ctx->t[1] & addr_mask[ctx->y])), &ctx->t[2],
                    sizeof(sp_point_521));
            ctx->state = 4;
            ctx->c--;
        }
        break;
    case 7: /* MAP */
        if (map != 0) {
            sp_521_map_9(r, &ctx->t[0], ctx->tmp);
        }
        else {
            XMEMCPY(r, &ctx->t[0], sizeof(sp_point_521));
        }
        err = MP_OKAY;
        break;
    }

    if (err == MP_OKAY && ctx->state != 7) {
        err = FP_WOULDBLOCK;
    }
    if (err != FP_WOULDBLOCK) {
        ForceZero(ctx->tmp, sizeof(ctx->tmp));
        ForceZero(ctx->t, sizeof(ctx->t));
    }

    (void)heap;

    return err;
}

#endif /* WOLFSSL_SP_NONBLOCK */

#else
/* A table entry for pre-computed points. */
typedef struct sp_table_entry_521 {
    sp_digit x[9];
    sp_digit y[9];
} sp_table_entry_521;

/* Conditionally copy a into r using the mask m.
 * m is -1 to copy and 0 when not.
 *
 * r  A single precision number to copy over.
 * a  A single precision number to copy.
 * m  Mask value to apply.
 */
static void sp_521_cond_copy_9(sp_digit* r, const sp_digit* a, const sp_digit m)
{
    sp_digit t[9];
#ifdef WOLFSSL_SP_SMALL
    int i;

    for (i = 0; i < 9; i++) {
        t[i] = r[i] ^ a[i];
    }
    for (i = 0; i < 9; i++) {
        r[i] ^= t[i] & m;
    }
#else
    t[ 0] = r[ 0] ^ a[ 0];
    t[ 1] = r[ 1] ^ a[ 1];
    t[ 2] = r[ 2] ^ a[ 2];
    t[ 3] = r[ 3] ^ a[ 3];
    t[ 4] = r[ 4] ^ a[ 4];
    t[ 5] = r[ 5] ^ a[ 5];
    t[ 6] = r[ 6] ^ a[ 6];
    t[ 7] = r[ 7] ^ a[ 7];
    t[ 8] = r[ 8] ^ a[ 8];
    r[ 0] ^= t[ 0] & m;
    r[ 1] ^= t[ 1] & m;
    r[ 2] ^= t[ 2] & m;
    r[ 3] ^= t[ 3] & m;
    r[ 4] ^= t[ 4] & m;
    r[ 5] ^= t[ 5] & m;
    r[ 6] ^= t[ 6] & m;
    r[ 7] ^= t[ 7] & m;
    r[ 8] ^= t[ 8] & m;
#endif /* WOLFSSL_SP_SMALL */
}

/* Double the Montgomery form projective point p a number of times.
 *
 * r  Result of repeated doubling of point.
 * p  Point to double.
 * n  Number of times to double
 * t  Temporary ordinate data.
 */
static void sp_521_proj_point_dbl_n_9(sp_point_521* p, int i,
    sp_digit* t)
{
    sp_digit* w = t;
    sp_digit* a = t + 2*9;
    sp_digit* b = t + 4*9;
    sp_digit* t1 = t + 6*9;
    sp_digit* t2 = t + 8*9;
    sp_digit* x;
    sp_digit* y;
    sp_digit* z;
    volatile int n = i;

    x = p->x;
    y = p->y;
    z = p->z;

    /* Y = 2*Y */
    sp_521_mont_dbl_9(y, y, p521_mod);
    /* W = Z^4 */
    sp_521_mont_sqr_9(w, z, p521_mod, p521_mp_mod);
    sp_521_mont_sqr_9(w, w, p521_mod, p521_mp_mod);
#ifndef WOLFSSL_SP_SMALL
    while (--n > 0)
#else
    while (--n >= 0)
#endif
    {
        /* A = 3*(X^2 - W) */
        sp_521_mont_sqr_9(t1, x, p521_mod, p521_mp_mod);
        sp_521_mont_sub_9(t1, t1, w, p521_mod);
        sp_521_mont_tpl_9(a, t1, p521_mod);
        /* B = X*Y^2 */
        sp_521_mont_sqr_9(t1, y, p521_mod, p521_mp_mod);
        sp_521_mont_mul_9(b, t1, x, p521_mod, p521_mp_mod);
        /* X = A^2 - 2B */
        sp_521_mont_sqr_9(x, a, p521_mod, p521_mp_mod);
        sp_521_mont_dbl_9(t2, b, p521_mod);
        sp_521_mont_sub_9(x, x, t2, p521_mod);
        /* B = 2.(B - X) */
        sp_521_mont_sub_9(t2, b, x, p521_mod);
        sp_521_mont_dbl_9(b, t2, p521_mod);
        /* Z = Z*Y */
        sp_521_mont_mul_9(z, z, y, p521_mod, p521_mp_mod);
        /* t1 = Y^4 */
        sp_521_mont_sqr_9(t1, t1, p521_mod, p521_mp_mod);
#ifdef WOLFSSL_SP_SMALL
        if (n != 0)
#endif
        {
            /* W = W*Y^4 */
            sp_521_mont_mul_9(w, w, t1, p521_mod, p521_mp_mod);
        }
        /* y = 2*A*(B - X) - Y^4 */
        sp_521_mont_mul_9(y, b, a, p521_mod, p521_mp_mod);
        sp_521_mont_sub_9(y, y, t1, p521_mod);
    }
#ifndef WOLFSSL_SP_SMALL
    /* A = 3*(X^2 - W) */
    sp_521_mont_sqr_9(t1, x, p521_mod, p521_mp_mod);
    sp_521_mont_sub_9(t1, t1, w, p521_mod);
    sp_521_mont_tpl_9(a, t1, p521_mod);
    /* B = X*Y^2 */
    sp_521_mont_sqr_9(t1, y, p521_mod, p521_mp_mod);
    sp_521_mont_mul_9(b, t1, x, p521_mod, p521_mp_mod);
    /* X = A^2 - 2B */
    sp_521_mont_sqr_9(x, a, p521_mod, p521_mp_mod);
    sp_521_mont_dbl_9(t2, b, p521_mod);
    sp_521_mont_sub_9(x, x, t2, p521_mod);
    /* B = 2.(B - X) */
    sp_521_mont_sub_9(t2, b, x, p521_mod);
    sp_521_mont_dbl_9(b, t2, p521_mod);
    /* Z = Z*Y */
    sp_521_mont_mul_9(z, z, y, p521_mod, p521_mp_mod);
    /* t1 = Y^4 */
    sp_521_mont_sqr_9(t1, t1, p521_mod, p521_mp_mod);
    /* y = 2*A*(B - X) - Y^4 */
    sp_521_mont_mul_9(y, b, a, p521_mod, p521_mp_mod);
    sp_521_mont_sub_9(y, y, t1, p521_mod);
#endif /* WOLFSSL_SP_SMALL */
    /* Y = Y/2 */
    sp_521_mont_div2_9(y, y, p521_mod);
}

/* Double the Montgomery form projective point p a number of times.
 *
 * r  Result of repeated doubling of point.
 * p  Point to double.
 * n  Number of times to double
 * t  Temporary ordinate data.
 */
static void sp_521_proj_point_dbl_n_store_9(sp_point_521* r,
        const sp_point_521* p, int n, int m, sp_digit* t)
{
    sp_digit* w = t;
    sp_digit* a = t + 2*9;
    sp_digit* b = t + 4*9;
    sp_digit* t1 = t + 6*9;
    sp_digit* t2 = t + 8*9;
    sp_digit* x = r[2*m].x;
    sp_digit* y = r[(1<<n)*m].y;
    sp_digit* z = r[2*m].z;
    int i;
    int j;

    for (i=0; i<9; i++) {
        x[i] = p->x[i];
    }
    for (i=0; i<9; i++) {
        y[i] = p->y[i];
    }
    for (i=0; i<9; i++) {
        z[i] = p->z[i];
    }

    /* Y = 2*Y */
    sp_521_mont_dbl_9(y, y, p521_mod);
    /* W = Z^4 */
    sp_521_mont_sqr_9(w, z, p521_mod, p521_mp_mod);
    sp_521_mont_sqr_9(w, w, p521_mod, p521_mp_mod);
    j = m;
    for (i=1; i<=n; i++) {
        j *= 2;

        /* A = 3*(X^2 - W) */
        sp_521_mont_sqr_9(t1, x, p521_mod, p521_mp_mod);
        sp_521_mont_sub_9(t1, t1, w, p521_mod);
        sp_521_mont_tpl_9(a, t1, p521_mod);
        /* B = X*Y^2 */
        sp_521_mont_sqr_9(t1, y, p521_mod, p521_mp_mod);
        sp_521_mont_mul_9(b, t1, x, p521_mod, p521_mp_mod);
        x = r[j].x;
        /* X = A^2 - 2B */
        sp_521_mont_sqr_9(x, a, p521_mod, p521_mp_mod);
        sp_521_mont_dbl_9(t2, b, p521_mod);
        sp_521_mont_sub_9(x, x, t2, p521_mod);
        /* B = 2.(B - X) */
        sp_521_mont_sub_9(t2, b, x, p521_mod);
        sp_521_mont_dbl_9(b, t2, p521_mod);
        /* Z = Z*Y */
        sp_521_mont_mul_9(r[j].z, z, y, p521_mod, p521_mp_mod);
        z = r[j].z;
        /* t1 = Y^4 */
        sp_521_mont_sqr_9(t1, t1, p521_mod, p521_mp_mod);
        if (i != n) {
            /* W = W*Y^4 */
            sp_521_mont_mul_9(w, w, t1, p521_mod, p521_mp_mod);
        }
        /* y = 2*A*(B - X) - Y^4 */
        sp_521_mont_mul_9(y, b, a, p521_mod, p521_mp_mod);
        sp_521_mont_sub_9(y, y, t1, p521_mod);
        /* Y = Y/2 */
        sp_521_mont_div2_9(r[j].y, y, p521_mod);
        r[j].infinity = 0;
    }
}

/* Add two Montgomery form projective points.
 *
 * ra  Result of addition.
 * rs  Result of subtraction.
 * p   First point to add.
 * q   Second point to add.
 * t   Temporary ordinate data.
 */
static void sp_521_proj_point_add_sub_9(sp_point_521* ra,
        sp_point_521* rs, const sp_point_521* p, const sp_point_521* q,
        sp_digit* t)
{
    sp_digit* t1 = t;
    sp_digit* t2 = t + 2*9;
    sp_digit* t3 = t + 4*9;
    sp_digit* t4 = t + 6*9;
    sp_digit* t5 = t + 8*9;
    sp_digit* t6 = t + 10*9;
    sp_digit* xa = ra->x;
    sp_digit* ya = ra->y;
    sp_digit* za = ra->z;
    sp_digit* xs = rs->x;
    sp_digit* ys = rs->y;
    sp_digit* zs = rs->z;


    XMEMCPY(xa, p->x, sizeof(p->x) / 2);
    XMEMCPY(ya, p->y, sizeof(p->y) / 2);
    XMEMCPY(za, p->z, sizeof(p->z) / 2);
    ra->infinity = 0;
    rs->infinity = 0;

    /* U1 = X1*Z2^2 */
    sp_521_mont_sqr_9(t1, q->z, p521_mod, p521_mp_mod);
    sp_521_mont_mul_9(t3, t1, q->z, p521_mod, p521_mp_mod);
    sp_521_mont_mul_9(t1, t1, xa, p521_mod, p521_mp_mod);
    /* U2 = X2*Z1^2 */
    sp_521_mont_sqr_9(t2, za, p521_mod, p521_mp_mod);
    sp_521_mont_mul_9(t4, t2, za, p521_mod, p521_mp_mod);
    sp_521_mont_mul_9(t2, t2, q->x, p521_mod, p521_mp_mod);
    /* S1 = Y1*Z2^3 */
    sp_521_mont_mul_9(t3, t3, ya, p521_mod, p521_mp_mod);
    /* S2 = Y2*Z1^3 */
    sp_521_mont_mul_9(t4, t4, q->y, p521_mod, p521_mp_mod);
    /* H = U2 - U1 */
    sp_521_mont_sub_9(t2, t2, t1, p521_mod);
    /* RS = S2 + S1 */
    sp_521_mont_add_9(t6, t4, t3, p521_mod);
    /* R = S2 - S1 */
    sp_521_mont_sub_9(t4, t4, t3, p521_mod);
    /* Z3 = H*Z1*Z2 */
    /* ZS = H*Z1*Z2 */
    sp_521_mont_mul_9(za, za, q->z, p521_mod, p521_mp_mod);
    sp_521_mont_mul_9(za, za, t2, p521_mod, p521_mp_mod);
    XMEMCPY(zs, za, sizeof(p->z)/2);
    /* X3 = R^2 - H^3 - 2*U1*H^2 */
    /* XS = RS^2 - H^3 - 2*U1*H^2 */
    sp_521_mont_sqr_9(xa, t4, p521_mod, p521_mp_mod);
    sp_521_mont_sqr_9(xs, t6, p521_mod, p521_mp_mod);
    sp_521_mont_sqr_9(t5, t2, p521_mod, p521_mp_mod);
    sp_521_mont_mul_9(ya, t1, t5, p521_mod, p521_mp_mod);
    sp_521_mont_mul_9(t5, t5, t2, p521_mod, p521_mp_mod);
    sp_521_mont_sub_9(xa, xa, t5, p521_mod);
    sp_521_mont_sub_9(xs, xs, t5, p521_mod);
    sp_521_mont_dbl_9(t1, ya, p521_mod);
    sp_521_mont_sub_9(xa, xa, t1, p521_mod);
    sp_521_mont_sub_9(xs, xs, t1, p521_mod);
    /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
    /* YS = -RS*(U1*H^2 - XS) - S1*H^3 */
    sp_521_mont_sub_9(ys, ya, xs, p521_mod);
    sp_521_mont_sub_9(ya, ya, xa, p521_mod);
    sp_521_mont_mul_9(ya, ya, t4, p521_mod, p521_mp_mod);
    sp_521_sub_9(t6, p521_mod, t6);
    sp_521_mont_mul_9(ys, ys, t6, p521_mod, p521_mp_mod);
    sp_521_mont_mul_9(t5, t5, t3, p521_mod, p521_mp_mod);
    sp_521_mont_sub_9(ya, ya, t5, p521_mod);
    sp_521_mont_sub_9(ys, ys, t5, p521_mod);
}

/* Structure used to describe recoding of scalar multiplication. */
typedef struct ecc_recode_521 {
    /* Index into pre-computation table. */
    uint8_t i;
    /* Use the negative of the point. */
    uint8_t neg;
} ecc_recode_521;

/* The index into pre-computation table to use. */
static const uint8_t recode_index_9_6[66] = {
     0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15,
    16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
    32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17,
    16, 15, 14, 13, 12, 11, 10,  9,  8,  7,  6,  5,  4,  3,  2,  1,
     0,  1,
};

/* Whether to negate y-ordinate. */
static const uint8_t recode_neg_9_6[66] = {
     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
     0,  0,
};

/* Recode the scalar for multiplication using pre-computed values and
 * subtraction.
 *
 * k  Scalar to multiply by.
 * v  Vector of operations to perform.
 */
static void sp_521_ecc_recode_6_9(const sp_digit* k, ecc_recode_521* v)
{
    int i;
    int j;
    uint8_t y;
    int carry = 0;
    int o;
    sp_digit n;

    j = 0;
    n = k[j];
    o = 0;
    for (i=0; i<87; i++) {
        y = (int8_t)n;
        if (o + 6 < 58) {
            y &= 0x3f;
            n >>= 6;
            o += 6;
        }
        else if (o + 6 == 58) {
            n >>= 6;
            if (++j < 9)
                n = k[j];
            o = 0;
        }
        else if (++j < 9) {
            n = k[j];
            y |= (uint8_t)((n << (58 - o)) & 0x3f);
            o -= 52;
            n >>= o;
        }

        y += (uint8_t)carry;
        v[i].i = recode_index_9_6[y];
        v[i].neg = recode_neg_9_6[y];
        carry = (y >> 6) + v[i].neg;
    }
}

#ifndef WC_NO_CACHE_RESISTANT
/* Touch each possible point that could be being copied.
 *
 * r      Point to copy into.
 * table  Table - start of the entries to access
 * idx    Index of entry to retrieve.
 */
static void sp_521_get_point_33_9(sp_point_521* r, const sp_point_521* table,
    int idx)
{
    int i;
    sp_digit mask;

    r->x[0] = 0;
    r->x[1] = 0;
    r->x[2] = 0;
    r->x[3] = 0;
    r->x[4] = 0;
    r->x[5] = 0;
    r->x[6] = 0;
    r->x[7] = 0;
    r->x[8] = 0;
    r->y[0] = 0;
    r->y[1] = 0;
    r->y[2] = 0;
    r->y[3] = 0;
    r->y[4] = 0;
    r->y[5] = 0;
    r->y[6] = 0;
    r->y[7] = 0;
    r->y[8] = 0;
    r->z[0] = 0;
    r->z[1] = 0;
    r->z[2] = 0;
    r->z[3] = 0;
    r->z[4] = 0;
    r->z[5] = 0;
    r->z[6] = 0;
    r->z[7] = 0;
    r->z[8] = 0;
    for (i = 1; i < 33; i++) {
        mask = 0 - (i == idx);
        r->x[0] |= mask & table[i].x[0];
        r->x[1] |= mask & table[i].x[1];
        r->x[2] |= mask & table[i].x[2];
        r->x[3] |= mask & table[i].x[3];
        r->x[4] |= mask & table[i].x[4];
        r->x[5] |= mask & table[i].x[5];
        r->x[6] |= mask & table[i].x[6];
        r->x[7] |= mask & table[i].x[7];
        r->x[8] |= mask & table[i].x[8];
        r->y[0] |= mask & table[i].y[0];
        r->y[1] |= mask & table[i].y[1];
        r->y[2] |= mask & table[i].y[2];
        r->y[3] |= mask & table[i].y[3];
        r->y[4] |= mask & table[i].y[4];
        r->y[5] |= mask & table[i].y[5];
        r->y[6] |= mask & table[i].y[6];
        r->y[7] |= mask & table[i].y[7];
        r->y[8] |= mask & table[i].y[8];
        r->z[0] |= mask & table[i].z[0];
        r->z[1] |= mask & table[i].z[1];
        r->z[2] |= mask & table[i].z[2];
        r->z[3] |= mask & table[i].z[3];
        r->z[4] |= mask & table[i].z[4];
        r->z[5] |= mask & table[i].z[5];
        r->z[6] |= mask & table[i].z[6];
        r->z[7] |= mask & table[i].z[7];
        r->z[8] |= mask & table[i].z[8];
    }
}
#endif /* !WC_NO_CACHE_RESISTANT */
/* Multiply the point by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * Window technique of 6 bits. (Add-Sub variation.)
 * Calculate 0..32 times the point. Use function that adds and
 * subtracts the same two points.
 * Recode to add or subtract one of the computed points.
 * Double to push up.
 * NOT a sliding window.
 *
 * r     Resulting point.
 * g     Point to multiply.
 * k     Scalar to multiply by.
 * map   Indicates whether to convert result to affine.
 * ct    Constant time required.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_521_ecc_mulmod_win_add_sub_9(sp_point_521* r, const sp_point_521* g,
        const sp_digit* k, int map, int ct, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_521* t = NULL;
    sp_digit* tmp = NULL;
#else
    sp_point_521 t[33+2];
    sp_digit tmp[2 * 9 * 6];
#endif
    sp_point_521* rt = NULL;
    sp_point_521* p = NULL;
    sp_digit* negy;
    int i;
    ecc_recode_521 v[87];
    int err = MP_OKAY;

    /* Constant time used for cache attack resistance implementation. */
    (void)ct;
    (void)heap;

#ifdef WOLFSSL_SP_SMALL_STACK
    t = (sp_point_521*)XMALLOC(sizeof(sp_point_521) *
        (33+2), heap, DYNAMIC_TYPE_ECC);
    if (t == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 9 * 6,
                                 heap, DYNAMIC_TYPE_ECC);
        if (tmp == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        rt = t + 33;
        p  = t + 33+1;

        /* t[0] = {0, 0, 1} * norm */
        XMEMSET(&t[0], 0, sizeof(t[0]));
        t[0].infinity = 1;
        /* t[1] = {g->x, g->y, g->z} * norm */
        err = sp_521_mod_mul_norm_9(t[1].x, g->x, p521_mod);
    }
    if (err == MP_OKAY) {
        err = sp_521_mod_mul_norm_9(t[1].y, g->y, p521_mod);
    }
    if (err == MP_OKAY) {
        err = sp_521_mod_mul_norm_9(t[1].z, g->z, p521_mod);
    }

    if (err == MP_OKAY) {
        t[1].infinity = 0;
        /* t[2] ... t[32]  */
        sp_521_proj_point_dbl_n_store_9(t, &t[ 1], 5, 1, tmp);
        sp_521_proj_point_add_9(&t[ 3], &t[ 2], &t[ 1], tmp);
        sp_521_proj_point_dbl_9(&t[ 6], &t[ 3], tmp);
        sp_521_proj_point_add_sub_9(&t[ 7], &t[ 5], &t[ 6], &t[ 1], tmp);
        sp_521_proj_point_dbl_9(&t[10], &t[ 5], tmp);
        sp_521_proj_point_add_sub_9(&t[11], &t[ 9], &t[10], &t[ 1], tmp);
        sp_521_proj_point_dbl_9(&t[12], &t[ 6], tmp);
        sp_521_proj_point_dbl_9(&t[14], &t[ 7], tmp);
        sp_521_proj_point_add_sub_9(&t[15], &t[13], &t[14], &t[ 1], tmp);
        sp_521_proj_point_dbl_9(&t[18], &t[ 9], tmp);
        sp_521_proj_point_add_sub_9(&t[19], &t[17], &t[18], &t[ 1], tmp);
        sp_521_proj_point_dbl_9(&t[20], &t[10], tmp);
        sp_521_proj_point_dbl_9(&t[22], &t[11], tmp);
        sp_521_proj_point_add_sub_9(&t[23], &t[21], &t[22], &t[ 1], tmp);
        sp_521_proj_point_dbl_9(&t[24], &t[12], tmp);
        sp_521_proj_point_dbl_9(&t[26], &t[13], tmp);
        sp_521_proj_point_add_sub_9(&t[27], &t[25], &t[26], &t[ 1], tmp);
        sp_521_proj_point_dbl_9(&t[28], &t[14], tmp);
        sp_521_proj_point_dbl_9(&t[30], &t[15], tmp);
        sp_521_proj_point_add_sub_9(&t[31], &t[29], &t[30], &t[ 1], tmp);

        negy = t[0].y;

        sp_521_ecc_recode_6_9(k, v);

        i = 86;
    #ifndef WC_NO_CACHE_RESISTANT
        if (ct) {
            sp_521_get_point_33_9(rt, t, v[i].i);
            rt->infinity = !v[i].i;
        }
        else
    #endif
        {
            XMEMCPY(rt, &t[v[i].i], sizeof(sp_point_521));
        }
        for (--i; i>=0; i--) {
            sp_521_proj_point_dbl_n_9(rt, 6, tmp);

        #ifndef WC_NO_CACHE_RESISTANT
            if (ct) {
                sp_521_get_point_33_9(p, t, v[i].i);
                p->infinity = !v[i].i;
            }
            else
        #endif
            {
                XMEMCPY(p, &t[v[i].i], sizeof(sp_point_521));
            }
            sp_521_sub_9(negy, p521_mod, p->y);
            sp_521_norm_9(negy);
            sp_521_cond_copy_9(p->y, negy, (sp_digit)0 - v[i].neg);
            sp_521_proj_point_add_9(rt, rt, p, tmp);
        }

        if (map != 0) {
            sp_521_map_9(r, rt, tmp);
        }
        else {
            XMEMCPY(r, rt, sizeof(sp_point_521));
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t != NULL)
        XFREE(t, heap, DYNAMIC_TYPE_ECC);
    if (tmp != NULL)
        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#ifdef FP_ECC
#endif /* FP_ECC */
/* Add two Montgomery form projective points. The second point has a q value of
 * one.
 * Only the first point can be the same pointer as the result point.
 *
 * r  Result of addition.
 * p  First point to add.
 * q  Second point to add.
 * t  Temporary ordinate data.
 */
static void sp_521_proj_point_add_qz1_9(sp_point_521* r,
    const sp_point_521* p, const sp_point_521* q, sp_digit* t)
{
    sp_digit* t2 = t;
    sp_digit* t3 = t + 2*9;
    sp_digit* t6 = t + 4*9;
    sp_digit* t1 = t + 6*9;
    sp_digit* t4 = t + 8*9;
    sp_digit* t5 = t + 10*9;

    /* Calculate values to subtract from P->x and P->y. */
    /* U2 = X2*Z1^2 */
    sp_521_mont_sqr_9(t2, p->z, p521_mod, p521_mp_mod);
    sp_521_mont_mul_9(t4, t2, p->z, p521_mod, p521_mp_mod);
    sp_521_mont_mul_9(t2, t2, q->x, p521_mod, p521_mp_mod);
    /* S2 = Y2*Z1^3 */
    sp_521_mont_mul_9(t4, t4, q->y, p521_mod, p521_mp_mod);

    if ((~p->infinity) & (~q->infinity) &
            sp_521_cmp_equal_9(p->x, t2) &
            sp_521_cmp_equal_9(p->y, t4)) {
        sp_521_proj_point_dbl_9(r, p, t);
    }
    else {
        sp_digit* x = t2;
        sp_digit* y = t3;
        sp_digit* z = t6;

        /* H = U2 - X1 */
        sp_521_mont_sub_9(t2, t2, p->x, p521_mod);
        /* R = S2 - Y1 */
        sp_521_mont_sub_9(t4, t4, p->y, p521_mod);
        /* Z3 = H*Z1 */
        sp_521_mont_mul_9(z, p->z, t2, p521_mod, p521_mp_mod);
        /* X3 = R^2 - H^3 - 2*X1*H^2 */
        sp_521_mont_sqr_9(t1, t2, p521_mod, p521_mp_mod);
        sp_521_mont_mul_9(t3, p->x, t1, p521_mod, p521_mp_mod);
        sp_521_mont_mul_9(t1, t1, t2, p521_mod, p521_mp_mod);
        sp_521_mont_sqr_9(t2, t4, p521_mod, p521_mp_mod);
        sp_521_mont_sub_9(t2, t2, t1, p521_mod);
        sp_521_mont_dbl_9(t5, t3, p521_mod);
        sp_521_mont_sub_9(x, t2, t5, p521_mod);
        /* Y3 = R*(X1*H^2 - X3) - Y1*H^3 */
        sp_521_mont_sub_9(t3, t3, x, p521_mod);
        sp_521_mont_mul_9(t3, t3, t4, p521_mod, p521_mp_mod);
        sp_521_mont_mul_9(t1, t1, p->y, p521_mod, p521_mp_mod);
        sp_521_mont_sub_9(y, t3, t1, p521_mod);
        {
            int i;
            sp_digit maskp = 0 - (q->infinity & (!p->infinity));
            sp_digit maskq = 0 - (p->infinity & (!q->infinity));
            sp_digit maskt = ~(maskp | maskq);
            sp_digit inf = (sp_digit)(p->infinity & q->infinity);

            for (i = 0; i < 9; i++) {
                r->x[i] = (p->x[i] & maskp) | (q->x[i] & maskq) |
                          (x[i] & maskt);
            }
            for (i = 0; i < 9; i++) {
                r->y[i] = (p->y[i] & maskp) | (q->y[i] & maskq) |
                          (y[i] & maskt);
            }
            for (i = 0; i < 9; i++) {
                r->z[i] = (p->z[i] & maskp) | (q->z[i] & maskq) |
                          (z[i] & maskt);
            }
            r->z[0] |= inf;
            r->infinity = (word32)inf;
        }
    }
}

#ifdef FP_ECC
/* Convert the projective point to affine.
 * Ordinates are in Montgomery form.
 *
 * a  Point to convert.
 * t  Temporary data.
 */
static void sp_521_proj_to_affine_9(sp_point_521* a, sp_digit* t)
{
    sp_digit* t1 = t;
    sp_digit* t2 = t + 2 * 9;
    sp_digit* tmp = t + 4 * 9;

    sp_521_mont_inv_9(t1, a->z, tmp);

    sp_521_mont_sqr_9(t2, t1, p521_mod, p521_mp_mod);
    sp_521_mont_mul_9(t1, t2, t1, p521_mod, p521_mp_mod);

    sp_521_mont_mul_9(a->x, a->x, t2, p521_mod, p521_mp_mod);
    sp_521_mont_mul_9(a->y, a->y, t1, p521_mod, p521_mp_mod);
    XMEMCPY(a->z, p521_norm_mod, sizeof(p521_norm_mod));
}

/* Generate the pre-computed table of points for the base point.
 *
 * width = 8
 * 256 entries
 * 65 bits between
 *
 * a      The base point.
 * table  Place to store generated point data.
 * tmp    Temporary data.
 * heap  Heap to use for allocation.
 */
static int sp_521_gen_stripe_table_9(const sp_point_521* a,
        sp_table_entry_521* table, sp_digit* tmp, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_521* t = NULL;
#else
    sp_point_521 t[3];
#endif
    sp_point_521* s1 = NULL;
    sp_point_521* s2 = NULL;
    int i;
    int j;
    int err = MP_OKAY;

    (void)heap;

#ifdef WOLFSSL_SP_SMALL_STACK
    t = (sp_point_521*)XMALLOC(sizeof(sp_point_521) * 3, heap,
                                     DYNAMIC_TYPE_ECC);
    if (t == NULL)
        err = MEMORY_E;
#endif

    if (err == MP_OKAY) {
        s1 = t + 1;
        s2 = t + 2;

        err = sp_521_mod_mul_norm_9(t->x, a->x, p521_mod);
    }
    if (err == MP_OKAY) {
        err = sp_521_mod_mul_norm_9(t->y, a->y, p521_mod);
    }
    if (err == MP_OKAY) {
        err = sp_521_mod_mul_norm_9(t->z, a->z, p521_mod);
    }
    if (err == MP_OKAY) {
        t->infinity = 0;
        sp_521_proj_to_affine_9(t, tmp);

        XMEMCPY(s1->z, p521_norm_mod, sizeof(p521_norm_mod));
        s1->infinity = 0;
        XMEMCPY(s2->z, p521_norm_mod, sizeof(p521_norm_mod));
        s2->infinity = 0;

        /* table[0] = {0, 0, infinity} */
        XMEMSET(&table[0], 0, sizeof(sp_table_entry_521));
        /* table[1] = Affine version of 'a' in Montgomery form */
        XMEMCPY(table[1].x, t->x, sizeof(table->x));
        XMEMCPY(table[1].y, t->y, sizeof(table->y));

        for (i=1; i<8; i++) {
            sp_521_proj_point_dbl_n_9(t, 66, tmp);
            sp_521_proj_to_affine_9(t, tmp);
            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
        }

        for (i=1; i<8; i++) {
            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
                sp_521_proj_point_add_qz1_9(t, s1, s2, tmp);
                sp_521_proj_to_affine_9(t, tmp);
                XMEMCPY(table[j].x, t->x, sizeof(table->x));
                XMEMCPY(table[j].y, t->y, sizeof(table->y));
            }
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t != NULL)
        XFREE(t, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#endif /* FP_ECC */
#ifndef WC_NO_CACHE_RESISTANT
/* Touch each possible entry that could be being copied.
 *
 * r      Point to copy into.
 * table  Table - start of the entries to access
 * idx    Index of entry to retrieve.
 */
static void sp_521_get_entry_256_9(sp_point_521* r,
    const sp_table_entry_521* table, int idx)
{
    int i;
    sp_digit mask;

    r->x[0] = 0;
    r->x[1] = 0;
    r->x[2] = 0;
    r->x[3] = 0;
    r->x[4] = 0;
    r->x[5] = 0;
    r->x[6] = 0;
    r->x[7] = 0;
    r->x[8] = 0;
    r->y[0] = 0;
    r->y[1] = 0;
    r->y[2] = 0;
    r->y[3] = 0;
    r->y[4] = 0;
    r->y[5] = 0;
    r->y[6] = 0;
    r->y[7] = 0;
    r->y[8] = 0;
    for (i = 1; i < 256; i++) {
        mask = 0 - (i == idx);
        r->x[0] |= mask & table[i].x[0];
        r->x[1] |= mask & table[i].x[1];
        r->x[2] |= mask & table[i].x[2];
        r->x[3] |= mask & table[i].x[3];
        r->x[4] |= mask & table[i].x[4];
        r->x[5] |= mask & table[i].x[5];
        r->x[6] |= mask & table[i].x[6];
        r->x[7] |= mask & table[i].x[7];
        r->x[8] |= mask & table[i].x[8];
        r->y[0] |= mask & table[i].y[0];
        r->y[1] |= mask & table[i].y[1];
        r->y[2] |= mask & table[i].y[2];
        r->y[3] |= mask & table[i].y[3];
        r->y[4] |= mask & table[i].y[4];
        r->y[5] |= mask & table[i].y[5];
        r->y[6] |= mask & table[i].y[6];
        r->y[7] |= mask & table[i].y[7];
        r->y[8] |= mask & table[i].y[8];
    }
}
#endif /* !WC_NO_CACHE_RESISTANT */
/* Multiply the point by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * Stripe implementation.
 * Pre-generated: 2^0, 2^65, ...
 * Pre-generated: products of all combinations of above.
 * 8 doubles and adds (with qz=1)
 *
 * r      Resulting point.
 * k      Scalar to multiply by.
 * table  Pre-computed table.
 * map    Indicates whether to convert result to affine.
 * ct     Constant time required.
 * heap   Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_521_ecc_mulmod_stripe_9(sp_point_521* r, const sp_point_521* g,
        const sp_table_entry_521* table, const sp_digit* k, int map,
        int ct, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_521* rt = NULL;
    sp_digit* t = NULL;
#else
    sp_point_521 rt[2];
    sp_digit t[2 * 9 * 6];
#endif
    sp_point_521* p = NULL;
    int i;
    int j;
    int y;
    int x;
    int err = MP_OKAY;

    (void)g;
    /* Constant time used for cache attack resistance implementation. */
    (void)ct;
    (void)heap;


#ifdef WOLFSSL_SP_SMALL_STACK
    rt = (sp_point_521*)XMALLOC(sizeof(sp_point_521) * 2, heap,
                                      DYNAMIC_TYPE_ECC);
    if (rt == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 9 * 6, heap,
                               DYNAMIC_TYPE_ECC);
        if (t == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        p = rt + 1;

        XMEMCPY(p->z, p521_norm_mod, sizeof(p521_norm_mod));
        XMEMCPY(rt->z, p521_norm_mod, sizeof(p521_norm_mod));

        y = 0;
        x = 65;
        for (j=0; j<8 && x<521; j++) {
            y |= (int)(((k[x / 58] >> (x % 58)) & 1) << j);
            x += 66;
        }
    #ifndef WC_NO_CACHE_RESISTANT
        if (ct) {
            sp_521_get_entry_256_9(rt, table, y);
        } else
    #endif
        {
            XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
            XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
        }
        rt->infinity = !y;
        for (i=64; i>=0; i--) {
            y = 0;
            x = i;
            for (j=0; j<8 && x<521; j++) {
                y |= (int)(((k[x / 58] >> (x % 58)) & 1) << j);
                x += 66;
            }

            sp_521_proj_point_dbl_9(rt, rt, t);
        #ifndef WC_NO_CACHE_RESISTANT
            if (ct) {
                sp_521_get_entry_256_9(p, table, y);
            }
            else
        #endif
            {
                XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
                XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
            }
            p->infinity = !y;
            sp_521_proj_point_add_qz1_9(rt, rt, p, t);
        }

        if (map != 0) {
            sp_521_map_9(r, rt, t);
        }
        else {
            XMEMCPY(r, rt, sizeof(sp_point_521));
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t != NULL)
        XFREE(t, heap, DYNAMIC_TYPE_ECC);
    if (rt != NULL)
        XFREE(rt, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#ifdef FP_ECC
#ifndef FP_ENTRIES
    #define FP_ENTRIES 16
#endif

/* Cache entry - holds precomputation tables for a point. */
typedef struct sp_cache_521_t {
    /* X ordinate of point that table was generated from. */
    sp_digit x[9];
    /* Y ordinate of point that table was generated from. */
    sp_digit y[9];
    /* Precomputation table for point. */
    sp_table_entry_521 table[256];
    /* Count of entries in table. */
    uint32_t cnt;
    /* Point and table set in entry. */
    int set;
} sp_cache_521_t;

/* Cache of tables. */
static THREAD_LS_T sp_cache_521_t sp_cache_521[FP_ENTRIES];
/* Index of last entry in cache. */
static THREAD_LS_T int sp_cache_521_last = -1;
/* Cache has been initialized. */
static THREAD_LS_T int sp_cache_521_inited = 0;

#ifndef HAVE_THREAD_LS
    static volatile int initCacheMutex_521 = 0;
    static wolfSSL_Mutex sp_cache_521_lock;
#endif

/* Get the cache entry for the point.
 *
 * g      [in]   Point scalar multiplying.
 * cache  [out]  Cache table to use.
 */
static void sp_ecc_get_cache_521(const sp_point_521* g, sp_cache_521_t** cache)
{
    int i;
    int j;
    uint32_t least;

    if (sp_cache_521_inited == 0) {
        for (i=0; i<FP_ENTRIES; i++) {
            sp_cache_521[i].set = 0;
        }
        sp_cache_521_inited = 1;
    }

    /* Compare point with those in cache. */
    for (i=0; i<FP_ENTRIES; i++) {
        if (!sp_cache_521[i].set)
            continue;

        if (sp_521_cmp_equal_9(g->x, sp_cache_521[i].x) &
                           sp_521_cmp_equal_9(g->y, sp_cache_521[i].y)) {
            sp_cache_521[i].cnt++;
            break;
        }
    }

    /* No match. */
    if (i == FP_ENTRIES) {
        /* Find empty entry. */
        i = (sp_cache_521_last + 1) % FP_ENTRIES;
        for (; i != sp_cache_521_last; i=(i+1)%FP_ENTRIES) {
            if (!sp_cache_521[i].set) {
                break;
            }
        }

        /* Evict least used. */
        if (i == sp_cache_521_last) {
            least = sp_cache_521[0].cnt;
            for (j=1; j<FP_ENTRIES; j++) {
                if (sp_cache_521[j].cnt < least) {
                    i = j;
                    least = sp_cache_521[i].cnt;
                }
            }
        }

        XMEMCPY(sp_cache_521[i].x, g->x, sizeof(sp_cache_521[i].x));
        XMEMCPY(sp_cache_521[i].y, g->y, sizeof(sp_cache_521[i].y));
        sp_cache_521[i].set = 1;
        sp_cache_521[i].cnt = 1;
    }

    *cache = &sp_cache_521[i];
    sp_cache_521_last = i;
}
#endif /* FP_ECC */

/* Multiply the base point of P521 by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * r     Resulting point.
 * g     Point to multiply.
 * k     Scalar to multiply by.
 * map   Indicates whether to convert result to affine.
 * ct    Constant time required.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_521_ecc_mulmod_9(sp_point_521* r, const sp_point_521* g,
        const sp_digit* k, int map, int ct, void* heap)
{
#ifndef FP_ECC
    return sp_521_ecc_mulmod_win_add_sub_9(r, g, k, map, ct, heap);
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* tmp;
#else
    sp_digit tmp[2 * 9 * 6];
#endif
    sp_cache_521_t* cache;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 9 * 6, heap, DYNAMIC_TYPE_ECC);
    if (tmp == NULL) {
        err = MEMORY_E;
    }
#endif
#ifndef HAVE_THREAD_LS
    if (err == MP_OKAY) {
        if (initCacheMutex_521 == 0) {
            wc_InitMutex(&sp_cache_521_lock);
            initCacheMutex_521 = 1;
        }
        if (wc_LockMutex(&sp_cache_521_lock) != 0) {
            err = BAD_MUTEX_E;
        }
    }
#endif /* HAVE_THREAD_LS */

    if (err == MP_OKAY) {
        sp_ecc_get_cache_521(g, &cache);
        if (cache->cnt == 2)
            sp_521_gen_stripe_table_9(g, cache->table, tmp, heap);

#ifndef HAVE_THREAD_LS
        wc_UnLockMutex(&sp_cache_521_lock);
#endif /* HAVE_THREAD_LS */

        if (cache->cnt < 2) {
            err = sp_521_ecc_mulmod_win_add_sub_9(r, g, k, map, ct, heap);
        }
        else {
            err = sp_521_ecc_mulmod_stripe_9(r, g, cache->table, k,
                    map, ct, heap);
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
#endif
    return err;
#endif
}

#endif
/* Multiply the point by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * km    Scalar to multiply by.
 * p     Point to multiply.
 * r     Resulting point.
 * map   Indicates whether to convert result to affine.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_mulmod_521(const mp_int* km, const ecc_point* gm, ecc_point* r,
        int map, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_521* point = NULL;
    sp_digit* k = NULL;
#else
    sp_point_521 point[1];
    sp_digit k[9];
#endif
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    point = (sp_point_521*)XMALLOC(sizeof(sp_point_521), heap,
                                         DYNAMIC_TYPE_ECC);
    if (point == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 9, heap,
                               DYNAMIC_TYPE_ECC);
        if (k == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        sp_521_from_mp(k, 9, km);
        sp_521_point_from_ecc_point_9(point, gm);

            err = sp_521_ecc_mulmod_9(point, point, k, map, 1, heap);
    }
    if (err == MP_OKAY) {
        err = sp_521_point_to_ecc_point_9(point, r);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (k != NULL)
        XFREE(k, heap, DYNAMIC_TYPE_ECC);
    if (point != NULL)
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

/* Multiply the point by the scalar, add point a and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * km      Scalar to multiply by.
 * p       Point to multiply.
 * am      Point to add to scalar multiply result.
 * inMont  Point to add is in montgomery form.
 * r       Resulting point.
 * map     Indicates whether to convert result to affine.
 * heap    Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_mulmod_add_521(const mp_int* km, const ecc_point* gm,
    const ecc_point* am, int inMont, ecc_point* r, int map, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_521* point = NULL;
    sp_digit* k = NULL;
#else
    sp_point_521 point[2];
    sp_digit k[9 + 9 * 2 * 6];
#endif
    sp_point_521* addP = NULL;
    sp_digit* tmp = NULL;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    point = (sp_point_521*)XMALLOC(sizeof(sp_point_521) * 2, heap,
                                         DYNAMIC_TYPE_ECC);
    if (point == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        k = (sp_digit*)XMALLOC(
            sizeof(sp_digit) * (9 + 9 * 2 * 6), heap,
            DYNAMIC_TYPE_ECC);
        if (k == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        addP = point + 1;
        tmp = k + 9;

        sp_521_from_mp(k, 9, km);
        sp_521_point_from_ecc_point_9(point, gm);
        sp_521_point_from_ecc_point_9(addP, am);
    }
    if ((err == MP_OKAY) && (!inMont)) {
        err = sp_521_mod_mul_norm_9(addP->x, addP->x, p521_mod);
    }
    if ((err == MP_OKAY) && (!inMont)) {
        err = sp_521_mod_mul_norm_9(addP->y, addP->y, p521_mod);
    }
    if ((err == MP_OKAY) && (!inMont)) {
        err = sp_521_mod_mul_norm_9(addP->z, addP->z, p521_mod);
    }
    if (err == MP_OKAY) {
            err = sp_521_ecc_mulmod_9(point, point, k, 0, 0, heap);
    }
    if (err == MP_OKAY) {
            sp_521_proj_point_add_9(point, point, addP, tmp);

        if (map) {
                sp_521_map_9(point, point, tmp);
        }

        err = sp_521_point_to_ecc_point_9(point, r);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (k != NULL)
        XFREE(k, heap, DYNAMIC_TYPE_ECC);
    if (point != NULL)
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#ifdef WOLFSSL_SP_SMALL
/* Multiply the base point of P521 by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * r     Resulting point.
 * k     Scalar to multiply by.
 * map   Indicates whether to convert result to affine.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_521_ecc_mulmod_base_9(sp_point_521* r, const sp_digit* k,
        int map, int ct, void* heap)
{
    /* No pre-computed values. */
    return sp_521_ecc_mulmod_9(r, &p521_base, k, map, ct, heap);
}

#ifdef WOLFSSL_SP_NONBLOCK
static int sp_521_ecc_mulmod_base_9_nb(sp_ecc_ctx_t* sp_ctx, sp_point_521* r,
        const sp_digit* k, int map, int ct, void* heap)
{
    /* No pre-computed values. */
    return sp_521_ecc_mulmod_9_nb(sp_ctx, r, &p521_base, k, map, ct, heap);
}
#endif /* WOLFSSL_SP_NONBLOCK */


#else
/* Striping precomputation table.
 * 8 points combined into a table of 256 points.
 * Distance of 66 between points.
 */
static const sp_table_entry_521 p521_table[256] = {
    /* 0 */
    { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
      { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } },
    /* 1 */
    { { 0x17e7e31c2e5bd66L,0x22cf0615a90a6feL,0x0127a2ffa8de334L,
        0x1dfbf9d64a3f877L,0x06b4d3dbaa14b5eL,0x14fed487e0a2bd8L,
        0x15b4429c6481390L,0x3a73678fb2d988eL,0x0c6858e06b70404L },
      { 0x0be94769fd16650L,0x31c21a89cb09022L,0x39013fad0761353L,
        0x2657bd099031542L,0x3273e662c97ee72L,0x1e6d11a05ebef45L,
        0x3d1bd998f544495L,0x3001172297ed0b1L,0x11839296a789a3bL } },
    /* 2 */
    { { 0x03986670f0ccb51L,0x387404d9525d2a0L,0x0f21b2b29ed9b87L,
        0x2aa8eb74cddfd63L,0x0e9d08ffb06c0e9L,0x19d8589fc4ecd74L,
        0x0a3ef4dd8bf44c9L,0x0eb6e92863051d6L,0x13e96a576dda004L },
      { 0x3de24f8632d95a3L,0x057bc5314920a4aL,0x063e9bdaba1979fL,
        0x3d2a58adc1eab76L,0x214258d98dde053L,0x18708d7316628b7L,
        0x3fd32c9fa5a19d0L,0x33ab03b519443a3L,0x1852aea9dd1ef78L } },
    /* 3 */
    { { 0x0a91dd8eaaf1fe3L,0x0e19891002d4af4L,0x06a921abf0d20dbL,
        0x26a9da32503fda8L,0x09a1eec37941287L,0x1ce0d0f3cde46afL,
        0x22abc1c913fbe62L,0x3cc4dca2d0aaf88L,0x157874c0a862b9eL },
      { 0x2c8f184e6f03d49L,0x0d5f907922f80c2L,0x1ef3815cbdefa9cL,
        0x2ad7f6370f00b39L,0x1faeb109d7a41c7L,0x213d34e12fbd9f2L,
        0x2f0aae2f98cca1aL,0x25a2df80f51f59cL,0x00724b1ab581d58L } },
    /* 4 */
    { { 0x04f2d4bdf9314e0L,0x3a14379e802ab24L,0x1083582efb03daaL,
        0x20fb1ff9b49e48cL,0x2199d74a880f1c2L,0x25401f9cb56ce65L,
        0x33f03e5f120b9b3L,0x2da18c348ddcd1dL,0x121f4c192733b78L },
      { 0x103ff6dfa8b51f0L,0x2bed45038af7c3cL,0x380e83254171ae7L,
        0x2e33684365444c0L,0x24f3a8c01e83501L,0x3201c1a4415ddc7L,
        0x2238218f52196aaL,0x29fc4d826c2aa95L,0x1db8c25790694a0L } },
    /* 5 */
    { { 0x00370ccb2c0958dL,0x3bc599a69ece1ccL,0x33cf480c9b3889aL,
        0x3cbeacf85249e4bL,0x2507489670b2984L,0x34cf6caa5d4790dL,
        0x0a4daa9cab99d5aL,0x1cc95365174cad1L,0x00aa26cca5216c7L },
      { 0x1be1d41f9e66d18L,0x3bbe5aa845f9eb3L,0x14a2ddb0d24b80aL,
        0x09d7262defc14c8L,0x2dfd3c8486dcfb2L,0x329354b184f9d0dL,
        0x151e646e703fa13L,0x149f43238a5dc61L,0x1c6f5e90eacbfa8L } },
    /* 6 */
    { { 0x2c2f1e74ab2d58fL,0x2fe0b0a825e00a8L,0x2b24770bb76ac1bL,
        0x3b5599fdef5960fL,0x2fd96897e8e4ed9L,0x3ef83c576300761L,
        0x1cdcb166395a133L,0x3ac954793ce7766L,0x082de08424a720dL },
      { 0x3aa53b260ea91afL,0x212bdde8c77f765L,0x32395cd09bbea43L,
        0x36bcc016387360bL,0x2e5c78e97997c19L,0x1d6c611510ed831L,
        0x02ce16faae9b5f5L,0x3ea1973a1bccc23L,0x073983ce58f4f63L } },
    /* 7 */
    { { 0x2e931318217609dL,0x2a7750904bf002bL,0x264c286c63297f8L,
        0x359efc7197b845fL,0x38d03eee5cc3782L,0x2ae4de67a305136L,
        0x3784c701acacb29L,0x3361c857ac6d6c1L,0x0f82c409fa81affL },
      { 0x07d3766378139a4L,0x25a7aed56faa4c0L,0x0d6f68c8bc9dc6dL,
        0x1857e4fc90b1f18L,0x2741717d9844e84L,0x02fc483a118728aL,
        0x1699d78e930e79fL,0x2db7b85552809adL,0x07de69c77026a4fL } },
    /* 8 */
    { { 0x1b51bb04bee80d7L,0x3da87dda4b79a58L,0x246ca0ebc3bd0e1L,
        0x29e4c1913c20de7L,0x3390db0771c0bffL,0x2b6873a65f19ee1L,
        0x14b512095c33e1fL,0x21958f1402b76b1L,0x0b0c231d360d311L },
      { 0x228929839bcab2fL,0x019e01937488281L,0x2084763dc2a0c0cL,
        0x1cc64e30f8c18bdL,0x152e46eb988e9daL,0x297783f5a6fa3cbL,
        0x2c0e26e55c8d2d6L,0x3fd5fce8ff58f6cL,0x14a899c6d9f1e4bL } },
    /* 9 */
    { { 0x3f6e3a1ec05ce88L,0x30925adabf480a7L,0x20776fbeb007f8fL,
        0x2f7baf7b5002e74L,0x2693700f7b50ec0L,0x3dec0c3abbe5dd0L,
        0x101f77806e37a13L,0x2b83d73c5f45c6eL,0x1599036e5dfca95L },
      { 0x0af64b5000e8e0cL,0x0ab8101bed37e40L,0x1a67449f23bad3fL,
        0x108956c96a57d87L,0x28e33c6500ca918L,0x0b009f07e9abcf9L,
        0x2840a514373c00cL,0x1090267cf36865cL,0x0e798c62b79d0e8L } },
    /* 10 */
    { { 0x0c7c4a8ae4d0f28L,0x2957bd59b401bbaL,0x1f65066e40233a8L,
        0x2d574c86dd8de61L,0x2b8351b078deccaL,0x1f5522ace2e59b5L,
        0x31ab0b2e889e535L,0x14dedea7a38bf98L,0x05945c60f95e75cL },
      { 0x0a27d347867d79cL,0x182c5607206602fL,0x19ab976b8c517f4L,
        0x21986e47b65fb0bL,0x1d9c1d15ffcd044L,0x253276e5cc29e89L,
        0x2c5a3b8a2cf259fL,0x0c7ba39e12e1d77L,0x004062526073e51L } },
    /* 11 */
    { { 0x2e04e5cf1631bbaL,0x1b077c55bd14937L,0x3f30e4c3099040eL,
        0x10dadaafb1c1980L,0x0f6b94f6edb649aL,0x1adf82d4d53d427L,
        0x1e6dd27fecf4693L,0x1432a9e9c41fae8L,0x022889edac56894L },
      { 0x012916ed05596f2L,0x0076b2c08f2e2e4L,0x13ece7d4abe1e39L,
        0x102a7240c4c9407L,0x1c6d146d0b28150L,0x13b8625a76f34fcL,
        0x1226fb6fa1d5b17L,0x0261126ba8586a4L,0x154754ceedfb8a8L } },
    /* 12 */
    { { 0x24e27b04270b2f0L,0x0d3922fd35d35edL,0x3e8b0c2722ba84bL,
        0x2767fe6dc72c61aL,0x334fd6bc4f54a58L,0x104bd276621f937L,
        0x389d16b7c669fd7L,0x381d1002366eddfL,0x1cfafb9426bc902L },
      { 0x0a4f2d1662935caL,0x1f1c0e65f7311b3L,0x29e5353c79f8284L,
        0x2254857c3d30227L,0x080911b9d9ed8d9L,0x3789ea8d673c22fL,
        0x1e320d4b03540e6L,0x064ed4bd358fbdaL,0x0e6a0217fd694efL } },
    /* 13 */
    { { 0x37de62774214780L,0x19a05c81d167aadL,0x39b7e9c7fb01ca0L,
        0x3075b52df1fde15L,0x0a66caa39e55548L,0x2141693d15d5864L,
        0x0864ebf8141b039L,0x274fe972835f132L,0x053bf8af9509e12L },
      { 0x09b29d885285092L,0x0c76aa3bb5797efL,0x290ef618aab982fL,
        0x3d34989bb4670cdL,0x307ed8e090eee14L,0x1cdb410108a55c2L,
        0x27d01d1977920e8L,0x2dced1fb897ffb7L,0x1b93c921c3abc7aL } },
    /* 14 */
    { { 0x36a07cca08b2b14L,0x1e37aefc5d31fc2L,0x3828c40cb2a4aa9L,
        0x1ca42b720e0a472L,0x28c1edde695c782L,0x03ef4880236a2caL,
        0x2db94e741ceb2f9L,0x152397e272794c8L,0x07d18266085b73cL },
      { 0x1ebf82a2defd012L,0x32c2516854dfbdaL,0x35353ef0811d01eL,
        0x29ecaf537a8f155L,0x27bf969c859c882L,0x2c96b46c0287e5cL,
        0x136005063adf5e0L,0x3f861307fcc1bc9L,0x1178e515bec4112L } },
    /* 15 */
    { { 0x314787fefe3d3d5L,0x1dbd967625c89e4L,0x3ed1e0b6acf529eL,
        0x080717a3764571dL,0x15f5667af9c2b7bL,0x0d5dbbd1e200e3cL,
        0x00154af38c766ffL,0x0ed4e7c188f2001L,0x09647d3c44bde88L },
      { 0x2075638de1b21a4L,0x0e67055c420704cL,0x206775c03599bb6L,
        0x1feb79833d4c8b9L,0x0efc190595c7fdeL,0x35ece5806c65510L,
        0x2fa73e7e70ac8cdL,0x01d912a96a0f5a9L,0x04234f8cfac6308L } },
    /* 16 */
    { { 0x231e71a286492adL,0x0f791197e1ab13bL,0x00d4da713cb408fL,
        0x3a6a1adc413a25cL,0x32572c1617ad0f5L,0x173072676698b93L,
        0x162e0c77d223ef2L,0x2c817b7fda584eeL,0x08e818d28f381d8L },
      { 0x21231cf8cdf1f60L,0x103cad9c5dd83dcL,0x2f8ce045a4038b6L,
        0x3700dc1a27ef9c9L,0x372ea0dcb422285L,0x2021988dc65afe3L,
        0x26fe48a16f7855cL,0x2fd1353867f1f0cL,0x13efdbc856e8f68L } },
    /* 17 */
    { { 0x234d04fe6a3ace5L,0x2d80fa258647077L,0x0007f75ed0f40dbL,
        0x2f256c966d6d370L,0x22615f02015e0e6L,0x0c7a8fe37ef2e99L,
        0x3ff824b2ec5433dL,0x0ccb90ac2c39040L,0x11119315060c480L },
      { 0x197ea28045452f1L,0x19e33dc7cfdcee6L,0x3ddc41e9328e80bL,
        0x1bb9abc708d294aL,0x1b44215e7b7f265L,0x02900a2f10e016eL,
        0x2476e23aa734f2fL,0x033df8f1c91e508L,0x1f16dc2e8b068c6L } },
    /* 18 */
    { { 0x0dfae6ffffc0de5L,0x06053ead297c92fL,0x3658ea2aa8dda80L,
        0x3d7693c11046404L,0x334100611f3b1caL,0x1b833e23c92e736L,
        0x055c8248c324ed9L,0x0b8a52dfa8cd08cL,0x1d36e835b648909L },
      { 0x2b77ae707372f27L,0x26d3ea0eeb8669fL,0x1ae165429ebb477L,
        0x19bf00fbcfe85d7L,0x16991c7c4942ec2L,0x1894f4f0397f1aaL,
        0x34e738a0f61e4f5L,0x3a465e847fd6379L,0x00260524cd4624dL } },
    /* 19 */
    { { 0x1b5d0ca01342e08L,0x3b53c2dd27c2bd1L,0x02d96529d804509L,
        0x36db600d673ad54L,0x34c3848005eb087L,0x1d6a1e13aa99aa1L,
        0x34317ee972c7a0cL,0x3efd2305a7885a1L,0x14f81c556e0e5c9L },
      { 0x2b0b12be120674dL,0x3c26e4867c02b09L,0x332dd658caa6c6bL,
        0x2be0a4b66787879L,0x125fdbf80c771c5L,0x199b0df57604d4aL,
        0x0df680e61bd7983L,0x0260e36b251a874L,0x09f58dcf684c39fL } },
    /* 20 */
    { { 0x01691027b7dc837L,0x065d52d43ac7105L,0x092ad7e6741b2d7L,
        0x076f20928e013d0L,0x2c8e20bcf1d0a7fL,0x286076c15c2c815L,
        0x3b508a6732e3b9dL,0x01249e2018db829L,0x04511af502cc9f7L },
      { 0x3820d94c56f4ffaL,0x08168b13c303e82L,0x3d4ea1a0606a1c6L,
        0x199e6cc5bee67ccL,0x2e4f240fc1bab64L,0x0b5f710c16a8214L,
        0x23c07322539b789L,0x198cc0d95fc481bL,0x05928405280cedbL } },
    /* 21 */
    { { 0x0d087114397760cL,0x082dd8727f341a4L,0x07fa987e24f7b90L,
        0x281488cd6831ffbL,0x1ae21ca100e33b8L,0x2c0c8881cf6fabfL,
        0x145da6458c060a3L,0x18bbe6e71cee3b8L,0x0aa31c661e527ffL },
      { 0x3518eb081430b5eL,0x3e73a943b835a6bL,0x30b5aa6ebe8bb32L,
        0x3ca7f875a243b36L,0x31a59cc9a1f15f7L,0x22aca98f3975a3cL,
        0x07ce54f4d679940L,0x01ddba16c73bd0dL,0x1768ff423c0286dL } },
    /* 22 */
    { { 0x164104c33dcec23L,0x03586f3741d4661L,0x2f514c4f309abafL,
        0x3d779221c5521b6L,0x1d3539ba3f01bc8L,0x28efa3b3775aebcL,
        0x1d865fbb7e665d3L,0x12683e4676b0f2dL,0x173fe203da3f121L },
      { 0x03ae9a178d4a3d1L,0x173d62194c5b601L,0x26c041176463a4dL,
        0x23fe12be913abc0L,0x3ffea422d316c63L,0x188ad84d44bc8e5L,
        0x27068d691eaa046L,0x2ccf12215ba8e5fL,0x1b542d1b2e3f4a1L } },
    /* 23 */
    { { 0x11b2d5e1f487402L,0x005b99eabc7757dL,0x31f56da9c20ae36L,
        0x187b3916ff47acfL,0x3027a9e1825b7d3L,0x210459250b6c18cL,
        0x0773d0bf228777eL,0x297c3d7f3831116L,0x01fb2b3151d2dd7L },
      { 0x02773e8fbaa096aL,0x1c9baf824ea1e04L,0x0d072c7f1781152L,
        0x342ad7729d9714fL,0x187ef2d4a38d3dfL,0x1fac470aed29f61L,
        0x2da22f5c9c2013bL,0x3b2b578d4f0d02dL,0x039846d50a5a325L } },
    /* 24 */
    { { 0x2da77361677df58L,0x2f559c72d435b1dL,0x07d70a080ff2364L,
        0x0a6194c90c0110fL,0x2c35101e7a0a854L,0x231735da0800b74L,
        0x2cf13fbebc61434L,0x23703fc5646bb29L,0x0fb91c7c2e698bfL },
      { 0x27c5cad12de14d5L,0x12317d95872089aL,0x24307cdbb3dabc4L,
        0x0471da0475e7e37L,0x2754620499c58f0L,0x269d39247a2601bL,
        0x3e37c3e52ad0a2cL,0x31cb480d1a172caL,0x0ec7a8632450a0bL } },
    /* 25 */
    { { 0x3818c218a86786eL,0x0dfdd084df8b20cL,0x10d1a7e6eb20ed5L,
        0x1c17371200d765aL,0x024f7bd759790ecL,0x387c3c511a458b2L,
        0x1915ca09e7ef9d4L,0x089bf4c304a2f3aL,0x02d810145f66c71L },
      { 0x12749f5b71d87e5L,0x0ec505ec0b3b68cL,0x2d2ee0baff1625fL,
        0x2a7f2b9989c0915L,0x337bd985f97f7b3L,0x3e9b430435bafe3L,
        0x32f13720aa81b97L,0x376c6ca7c680487L,0x03de326a2f85cc0L } },
    /* 26 */
    { { 0x2f3398b38c2ee78L,0x0f44069d682fb89L,0x1706565a7f8e40cL,
        0x38c10067974d68cL,0x2b8174b6ed12985L,0x3e0294a8878a990L,
        0x18d80e25a15ee8aL,0x3aa6974783f9a14L,0x0848cbbc13804f6L },
      { 0x2828690dfd45169L,0x1f8261674fa341dL,0x0811cdb8bfc238dL,
        0x1e858b3d9208dd6L,0x3b4d15b8c849954L,0x18126699252eaceL,
        0x21cfed822cbc57cL,0x1662eb10c893aa2L,0x0d94356346957c6L } },
    /* 27 */
    { { 0x306925368271323L,0x2782a12734135caL,0x1fbf2b31cc7d24dL,
        0x13d5e8f8d86ab8dL,0x20294e85644f64bL,0x0f3b52b852411a1L,
        0x2cda47ddc82ee74L,0x3e5a32e4a9a95f8L,0x13f989c42efbfc1L },
      { 0x2d98bdfb8651600L,0x18d0d1e8f3ebbafL,0x254335b1a2268c3L,
        0x3775609541e4e84L,0x3852eb1e9558da7L,0x0a57d516945cec8L,
        0x06d101df5ae5852L,0x3e18b951b8bbd99L,0x1faf7e16a2c5d89L } },
    /* 28 */
    { { 0x1746c8ec7ec136dL,0x07609f3444d46c3L,0x3ad3f187a116f8eL,
        0x23c4dba1195d928L,0x0850983c22f1b96L,0x39c5c967506a8a5L,
        0x3c149c2123ecc4bL,0x2e0b77372ad49d8L,0x16da7f50b181022L },
      { 0x19e532d0ca5e258L,0x22b45e5ed8a9efeL,0x242ec77fddefa14L,
        0x335d3e6db123428L,0x07fd122d458518bL,0x2d42cb5f14ecc2eL,
        0x01aae9bb8cd193fL,0x1b824685a6bbaf0L,0x1c57e49b10a1de2L } },
    /* 29 */
    { { 0x0abe67521210716L,0x0a5a8c1f809000bL,0x011d8c83795b81aL,
        0x0d3767be9aa52bfL,0x3677d686f68f203L,0x3d7389d56f8be7aL,
        0x357c5c6a13f277bL,0x12e33df648906e5L,0x13270c3d2f4c74fL },
      { 0x1c8609c8d209aa4L,0x104e8b6cad50dbeL,0x2d1a2992345d46fL,
        0x3ae521f0d3e5adcL,0x2b440a375186f2aL,0x3694d6393e9c85dL,
        0x25b3103a4209367L,0x182e3c47ab78ffcL,0x1a99a570153505dL } },
    /* 30 */
    { { 0x21513936e7495bbL,0x0bf4a12421e746bL,0x2b0b29fd76fcebdL,
        0x26f1839c872708cL,0x3517a09e2a1a0d4L,0x362eb7e27d60ae0L,
        0x148bb4ac37809e9L,0x3121d2a937a782bL,0x027fd041312cb6cL },
      { 0x05502eeead4fb6dL,0x3097b42980b2fb0L,0x2841bd7f4a07760L,
        0x0c953b7385162e9L,0x10397614cc28b60L,0x207bb64ee75078eL,
        0x2d4b0b4221b71d1L,0x3906740438f08ccL,0x096dfe58a27dab0L } },
    /* 31 */
    { { 0x0d6fcd67debd24eL,0x3f29826b8ac1d53L,0x022ef217c26cbe3L,
        0x382e58838fe9f63L,0x2c7f9f87dd42d03L,0x25cbffb98d2fc85L,
        0x0d3e7722b1ec538L,0x14dfa0ea55f0758L,0x162edfe5f860f6aL },
      { 0x0a05400f0ea20b8L,0x0ab1f875e5a4010L,0x25c90edb0cac287L,
        0x0c2d8a4e69ddd96L,0x2af2cb7089df5b9L,0x0bfaf04bde299dbL,
        0x190ad3030732bf5L,0x38d04e999037ae8L,0x0d536eae15f93e7L } },
    /* 32 */
    { { 0x06119f6a1c88f3cL,0x397fb0bb1a5129bL,0x2c605742ff2a924L,
        0x07b76c8b1f1322aL,0x0fa5d25bb60addeL,0x3045f7825ca24e3L,
        0x2929c1fa5ac4f7eL,0x257d507cd6add20L,0x180d1c4e8f90afdL },
      { 0x3c4e73da7cd8358L,0x18695fca872480bL,0x3130ad94d288393L,
        0x198ada9e38bdbcbL,0x379c262cde37e24L,0x06d65ee42eaffe2L,
        0x0d4e646cae01ef6L,0x3e1167078cfc298L,0x00e52a42280dd01L } },
    /* 33 */
    { { 0x2d640a40f013755L,0x3739dfee0e03a5cL,0x0e797eb64b310b6L,
        0x02e4f2968d89e27L,0x358bdffc98e704bL,0x08c30dc8630d83fL,
        0x3385d153b1f323bL,0x0efdf5ace422169L,0x04a071130f556b9L },
      { 0x1a2096bfeef3f88L,0x2ea1a6e0ace514aL,0x184a872664a722eL,
        0x286163fe509ff88L,0x17490c9daa0dc0bL,0x056233a0cde67adL,
        0x32cee21d356f628L,0x2bba5f766f1fe9eL,0x0d21e61a4e8a3cfL } },
    /* 34 */
    { { 0x05db629e9068656L,0x2f5c327fb7937fbL,0x15bdfcd45546623L,
        0x3498a469d071e2bL,0x2761e688ef7981dL,0x16e49cbceb14f64L,
        0x146fec6a96892a5L,0x0bd59085f9ee019L,0x15e793c03cbab9eL },
      { 0x0fd95436eff39beL,0x2bc1fb6ffd3da02L,0x3abdb02416165a1L,
        0x3f751e600a60f51L,0x060b2e6fb37c5d2L,0x3a36e662761b65eL,
        0x28b9bbe3e3284ecL,0x062ce7c127ad761L,0x18e3b3e8a789dadL } },
    /* 35 */
    { { 0x3026c56e51e61f0L,0x2f2a8cc1fc9d5d5L,0x26ebb1aeaf41dddL,
        0x1f38b5fd6ea4a80L,0x2bc5ead91a33e93L,0x391a01f47df3007L,
        0x01951990ab665d2L,0x101270a913d554dL,0x0aa099c1ca67966L },
      { 0x161a9098f97e387L,0x145de1178775a6dL,0x112b7ff1d6abf60L,
        0x293426a72247fe9L,0x1d2282e2b42da55L,0x1d0616b57969f1cL,
        0x0baeffdfa5a203eL,0x0285866c4da77a8L,0x1a3a5eef9141eccL } },
    /* 36 */
    { { 0x2f20d0a7a573b81L,0x3072a1986533bcaL,0x2d8d0b711c347eaL,
        0x1b2e826750bbc34L,0x05067a8ca6aea01L,0x284d47be998274aL,
        0x1c26346a52c6007L,0x00cf36ae16062c4L,0x121f17fa45dbb1cL },
      { 0x3b8b87afc3279d6L,0x39daaf0807c7867L,0x2a83806c21dde30L,
        0x0af18fe093c0abdL,0x246bd1a53eafd7eL,0x084e4591ec1d389L,
        0x32d9bfcd6f4931aL,0x273c6acb3f4e705L,0x10a62f3eb4b4db5L } },
    /* 37 */
    { { 0x002de36e0689a1bL,0x3327f5f72bf9cb9L,0x2d7e255d0bfb9dcL,
        0x3b92b681367937aL,0x2bfd2e774d7ee87L,0x1c2cae6d6a140e7L,
        0x103bba282c66577L,0x141c69eb2a09ae8L,0x11aac7028bac7cdL },
      { 0x261d39c680c8f04L,0x271332d22ced78bL,0x09bd95744f3c2f0L,
        0x2d2ab32d64c4c58L,0x25adfb2096d72e4L,0x3f4fb33f6dc1832L,
        0x352a73c67d9e431L,0x215f0521e89bf85L,0x1e33d95366364d0L } },
    /* 38 */
    { { 0x264506b4cec9e7fL,0x1592d0c2aae63f9L,0x101f173fa284a44L,
        0x1f85725d1c9786dL,0x082dec033e7b7bdL,0x298edd8b5b319eaL,
        0x0e2fcd1fe2e9340L,0x39d48e821386cfeL,0x0fdccce4da89ae6L },
      { 0x397f8eec12fd820L,0x3e24aa5b691ccc1L,0x241d55997bf4325L,
        0x2b00add4f3d65f4L,0x1f677ceba3aef35L,0x06eeb1b229cfe57L,
        0x1278b05b2892b7dL,0x117da41d4560f31L,0x01c2f5ed53fa47fL } },
    /* 39 */
    { { 0x114165eab40b79cL,0x1bbb6096d226a0eL,0x2b7d8a6c107fbfbL,
        0x22e3807ca2f684dL,0x1a4d79907d431dbL,0x11c79a161397437L,
        0x376ff869a91472aL,0x047f56341a5a660L,0x006ce369b74c463L },
      { 0x00773d11add1452L,0x3a7257b63a68a9bL,0x0e32ca15a40c2e4L,
        0x0dabd8bc63fa3feL,0x2eec9484b3fcb7dL,0x2c81016cb28cdbbL,
        0x2d8352a4d6e7a93L,0x00f9db64340c655L,0x0e5dd375603d9caL } },
    /* 40 */
    { { 0x05f297d8b481bf7L,0x0a8f90a84ce0f33L,0x128cdc40b96c06aL,
        0x17c462768f27851L,0x16cd57fa79a2bf3L,0x0d5f4caee2b6e62L,
        0x176fadc1a4935c9L,0x0f78547ec96030bL,0x1ba98721eb424f2L },
      { 0x002daaf52a4b397L,0x17d330342d39523L,0x0db37b7e79cdc3cL,
        0x3b2cce5c2d8a6f9L,0x092808c7ff34336L,0x08a236c7b4f72dfL,
        0x2ed59aec290eff0L,0x3e97ca91e7547a5L,0x0929d7ed87076d8L } },
    /* 41 */
    { { 0x0edaf0be660043cL,0x28b32c05b81d376L,0x28e7e2cc3b3d84aL,
        0x0c1709a7f12748dL,0x13de33e3647b501L,0x2272941340653b8L,
        0x0db11ddb3361b97L,0x24bc2335460ce61L,0x0c6d5b801ecc8ecL },
      { 0x3f91c1547ab9887L,0x2178a9ad6ac044cL,0x0e5a133fc8182f2L,
        0x1d0e361a4b26dcdL,0x043282e815c435aL,0x31ef36a8f24ad1fL,
        0x158c86191231f59L,0x0f328eb90970d34L,0x0117f568febc5a2L } },
    /* 42 */
    { { 0x0cbd9d5bf5caa87L,0x3f183da37632763L,0x0dbbc7d4dede17bL,
        0x11609c2d6fd8fadL,0x1cc098fe7bf6e59L,0x175ee3d621c4de9L,
        0x25a533ca5eb6870L,0x029b12df7bbb92cL,0x0ef8e045c324a70L },
      { 0x20c1c9270cf52bcL,0x0fd8ea43318a605L,0x021cbf3028fb4bfL,
        0x35d48efbfc57ffdL,0x38b9ce1050a8102L,0x19886c7bfccc268L,
        0x0a78078e9da4d00L,0x2184a5dd7e27f30L,0x0eb590448650017L } },
    /* 43 */
    { { 0x26664fdebbd33ecL,0x269983396b55e62L,0x2c0550fb56ed0cfL,
        0x2b4756aa9bbb341L,0x3948a7f07b4ca5fL,0x3f870468db6bb96L,
        0x12544bd2e37887eL,0x363a907d86b1247L,0x0be49df70712bffL },
      { 0x0e2f1f565acdb56L,0x04f21179796f798L,0x1354e17a0412f2fL,
        0x33f6724efbee5ffL,0x325a957e48a2867L,0x28618d7e72a745aL,
        0x26ae711f55c19b4L,0x150766ce1a3d634L,0x000ac4480414c94L } },
    /* 44 */
    { { 0x01bcf89d4ad38dbL,0x03ce04f5c51445bL,0x2759cb70243a118L,
        0x18c58e9c5b16d30L,0x213648bdb5dd64dL,0x137a65a6ef4bbfaL,
        0x1e8c45a47187f9eL,0x3429d9779a44b8bL,0x048e075f29c4bdaL },
      { 0x03354745e4dd88dL,0x20d8e2015debf00L,0x1c01227288f7182L,
        0x2479a26277b92cdL,0x1cd3f71bad008fdL,0x3936878908508c5L,
        0x262bb15cb023ff3L,0x13f95f9ae70d6d5L,0x072143f41657fb0L } },
    /* 45 */
    { { 0x06b046c26f40f2cL,0x3491b1b35f0c76cL,0x22701953a9b7bd5L,
        0x2e23c010dbeaa95L,0x021d0660d5ac929L,0x2f5b6f9864dce4bL,
        0x3c43f9d279ed159L,0x34094ddf1356b45L,0x179800eda50b8fcL },
      { 0x08ddc0b36132f31L,0x3d3c04ab79ce8eeL,0x1ec3203de2b96f8L,
        0x0508c6d94cce216L,0x0a14093caedb038L,0x30af8be6b423348L,
        0x2bc09fb9f86d445L,0x11e37f4f654cbdbL,0x13d757b58991aefL } },
    /* 46 */
    { { 0x19ad100580f894bL,0x09222b649791bdfL,0x3e142e5a6865b61L,
        0x14c5fe6a04d1525L,0x2f8a33541c86e10L,0x299b55e362aa082L,
        0x358e23a67906607L,0x2ad711f7d82b97dL,0x107cadd4c90a7f8L },
      { 0x16b044f6764ad0eL,0x3f8384940626ccdL,0x0a625f14db6af69L,
        0x27c6f5df550b7abL,0x25cfa895ce9f277L,0x1bc66b0e5e6447cL,
        0x2f44b1d4e94cedbL,0x09fd70d4cd05c06L,0x03bcac43fff50c7L } },
    /* 47 */
    { { 0x342951c83c1d4cfL,0x1e4742c9170d3c5L,0x0ef69c2dcc71e03L,
        0x0a4a8c41d9faa3eL,0x3b12948bd2ea57aL,0x3fabae0c956d1aeL,
        0x1abf592adc1e090L,0x29a26834b463112L,0x0199e8c9ff5c4a8L },
      { 0x1f7b9cdeb28171aL,0x1e100f55da61ef2L,0x33bf22ff824cefdL,
        0x24efcccf31562d3L,0x2b01ceb72ee09b3L,0x080a6737affe0e8L,
        0x2bf7515bb34c452L,0x173ce8f0fa2819bL,0x1a65dee07bb49d0L } },
    /* 48 */
    { { 0x1a958d6b114257bL,0x2bf507525d78c02L,0x39b53aae7b11729L,
        0x24fb746b20c1ca1L,0x11eb679750791b0L,0x099d6d2b3fbf1f4L,
        0x29517f0e54bd37eL,0x0268e2698b5fa35L,0x06b96f805d82021L },
      { 0x015d51757b5f9f4L,0x2790d9016d13452L,0x1de0e4870160e5cL,
        0x2547bdacfe0d10bL,0x1f7497faf953fefL,0x05bbc2de467933dL,
        0x12eeed24e3cc4d0L,0x05c0ff172aa1c94L,0x1b6f1ba4029a3bdL } },
    /* 49 */
    { { 0x2668435529252acL,0x189b01d39ec360aL,0x0cc1e0be86ab3daL,
        0x3dd3b57714d5420L,0x00cd41fd0534a53L,0x19d22472a7bfc50L,
        0x13b5ad0e7c945c5L,0x026237a92e257b1L,0x1ffefc67bef1515L },
      { 0x08dc109306033fdL,0x21e5e7cda1d7666L,0x2f26e3c335c51b2L,
        0x3f44938a75934e6L,0x0c41dbdfca47259L,0x33036255758315cL,
        0x28ff8606224b610L,0x21c1e81075397baL,0x1fd2920e15cae4dL } },
    /* 50 */
    { { 0x2d15f0ccd67da85L,0x22dbd16b1528559L,0x2021f1ac71c3ae9L,
        0x0991d564890bc17L,0x166e856dc1feb22L,0x3ed2e91ca8bc558L,
        0x1d920b65eb14566L,0x32e6cd1a22f4a8aL,0x061943ce86ef9d4L },
      { 0x0696218aac91174L,0x1467b1077648d2dL,0x2df29f0763a485bL,
        0x09dc4b22ccedfbeL,0x3b053863098517fL,0x3fcf8f9280b9fb0L,
        0x09648646bc45bb1L,0x2e4fd1aba25bca5L,0x1462aeb1649ebd2L } },
    /* 51 */
    { { 0x334f41fe8e4d3c3L,0x361ffd6edfa76c7L,0x2c0ad910b579c80L,
        0x186e1cd26bbc085L,0x02b0a6cc02a24b7L,0x3cb4655c152f14aL,
        0x3e6cdd3b4c7029aL,0x028d0392e438ab6L,0x0cf8e774f812606L },
      { 0x07f9dbc2e229950L,0x07e11b67e0adc0fL,0x19a3f10c05f3ab1L,
        0x13c3c608328adebL,0x0ccbfb332203eadL,0x199c1bc5476f2f2L,
        0x059d5e3bd9caf00L,0x3993968e6f89418L,0x14c984387c8dcafL } },
    /* 52 */
    { { 0x08a757f8e011531L,0x16c5cb0f7355f1cL,0x09fdc2d99e297f4L,
        0x07ee4ed9056a3abL,0x0a5488e869d4ee8L,0x2edeadc2960ced5L,
        0x3df3a9ddd561c30L,0x0ccaed6f68e12ceL,0x124f909f8e01ddfL },
      { 0x1b8aa84ab41e782L,0x08049a14776e1f1L,0x2a7d99482bd21deL,
        0x3afd2d904efd26eL,0x37cd1e22405963dL,0x2eb583bbb4da7eeL,
        0x2e30eddcf495dd1L,0x084b7ad1d5a4e24L,0x10baaf11bd8af0aL } },
    /* 53 */
    { { 0x146017416ec64e2L,0x052b3df5f1baf9cL,0x04a3668b7176bfdL,
        0x3cdd06c107078d4L,0x22d3b67b072e3f3L,0x15f64a35947e952L,
        0x08f419623edca3eL,0x2ebbca6dd3a2dcbL,0x0383d99cb47327aL },
      { 0x08dd0b3da342a3fL,0x00918b7bd2a5520L,0x242eeab5a860120L,
        0x0141b952db46c71L,0x310c6cf1a5e1e2aL,0x3e40f3426e85c43L,
        0x0166f5334fc3660L,0x10d4e5a7800044dL,0x0fafaa26074155cL } },
    /* 54 */
    { { 0x05cd0e6712de285L,0x3fe2c21a7d77172L,0x2b92df4ed389cd2L,
        0x0c156e67210dca8L,0x2e07a003363524dL,0x1b82524d1bfbd68L,
        0x28952b0a2c82dadL,0x1fadacd899885caL,0x02c9afcb188af21L },
      { 0x3b9d4769a64c5b5L,0x23577913133f874L,0x18ef11c6dbffa0dL,
        0x23d07052bb55821L,0x235efe854ce1d97L,0x11d15d74947e79cL,
        0x289c03f9d0c14c0L,0x2770034b20e3af6L,0x16fa25f040b36ccL } },
    /* 55 */
    { { 0x23d9dea9cad682dL,0x32c6cd18da4e46cL,0x19885c0f24d787aL,
        0x31f50620f3a7d70L,0x353555e46dff62fL,0x2473681746aca77L,
        0x0633ed569b1cb28L,0x150a36c536f114bL,0x1941acbb86c2a34L },
      { 0x06a70c824db8127L,0x1958fd06df3d6f6L,0x1abeb908d9b484aL,
        0x18e2670982a3613L,0x344436957aaeaaeL,0x02a4b2344fb5acaL,
        0x0bcb973bc94f99dL,0x1597e5e3cb8af41L,0x07456a388ef716aL } },
    /* 56 */
    { { 0x082dfe496fc1f77L,0x310d7c4d1eb5a98L,0x14dc25ebe457b04L,
        0x1a6dbdd92abd09aL,0x104d83da164a170L,0x03208cc380e1cf5L,
        0x239b3eb0b9db52eL,0x0536a621acd3b50L,0x16a76587f2a5988L },
      { 0x118f8e8ebc71a5dL,0x10690a150148cdaL,0x09ccc182cbcc491L,
        0x34f82415e9f58fcL,0x1e239d8eb4afe59L,0x365252cb98cf6c3L,
        0x04fd61bac8582dfL,0x3bf662e4569051cL,0x10ee0866a9dfceaL } },
    /* 57 */
    { { 0x350c47052e07a4dL,0x34e2e3975d1740aL,0x047ce1af12267f6L,
        0x12ce71417ded053L,0x186f739be03e4b4L,0x1f0bc6f167cf5e5L,
        0x23fad4ca19bca7eL,0x22bec7147007b01L,0x080da3937a57f42L },
      { 0x1d8ca9d102369faL,0x26ffedc1b038d7aL,0x19a796b55d80e00L,
        0x37ab0342530b828L,0x1787c187ada0e42L,0x33e812d9b06f8b1L,
        0x1773406d4ae2cc9L,0x18a156c33a981d9L,0x0d82d525245c7c9L } },
    /* 58 */
    { { 0x1cb238cae93de69L,0x0f20cceff6ba6dbL,0x1f4de8b79836496L,
        0x112ba2fe2b8cf20L,0x24c3ebacce13a22L,0x15696b582f1b9e1L,
        0x3e9459a837a53c5L,0x1bf361d7634d6f1L,0x01fb3705534f9f4L },
      { 0x0e9270c7fb974a1L,0x123e83a7b49205eL,0x2c3d64bffbd4234L,
        0x10f5e7d2cf05059L,0x13b9f32a0a05aa4L,0x32408d7b615693cL,
        0x352b484bebcf8daL,0x027459612661e36L,0x183aa4d59f1e48dL } },
    /* 59 */
    { { 0x2585d75dbffad9fL,0x3d85d3d06763f3bL,0x3f59e6c6934564dL,
        0x3460f566c31bdceL,0x3929c8950b80793L,0x2658aeadaebd3f0L,
        0x291273bd445a952L,0x1e16d4ad86517aaL,0x1be4fccdfff3d1cL },
      { 0x1c384d97cb2857fL,0x20c1601adeafd01L,0x1d1743ace6b24cfL,
        0x28af10f5adbd4a3L,0x314e564b92c7b8fL,0x0ae7c06a3c38a2fL,
        0x1383e61b69bc73dL,0x251aeae2fad00f7L,0x0aeaccea0c59791L } },
    /* 60 */
    { { 0x268baee0163c2deL,0x342cafac9da2926L,0x3124ffdae767c42L,
        0x3542ab2a50d5a1bL,0x2e01091cf926da5L,0x0c92fb35a670d33L,
        0x13a0a93d2545405L,0x332746dad63c506L,0x14ff144925ed611L },
      { 0x361a60cc1ed9259L,0x0dea8cbc7569fdfL,0x313d07aef4311beL,
        0x12539be9ee80e11L,0x28bd3730c99f33dL,0x2e555f710e4a305L,
        0x22bee573cf8ccf5L,0x158402f1b518346L,0x14527cd194383b1L } },
    /* 61 */
    { { 0x3e651353427af4eL,0x302ec4c4364df52L,0x276acaa671c32e6L,
        0x3534ea70ddaf63aL,0x3471709aa9d7b3fL,0x060147004933a18L,
        0x28ee1c225ce41d0L,0x13b215224a13fe7L,0x13d22d829c9535cL },
      { 0x301ed9da1b15e02L,0x24aeb0c07961a1aL,0x21835764135b1d0L,
        0x2ddbdc56692fe9eL,0x118090d0dc0ee59L,0x2014865a45c6814L,
        0x1279045c1531bbbL,0x1da15d024c3f082L,0x008963b48cc7633L } },
    /* 62 */
    { { 0x3e8b620f4aaaed5L,0x2379f7fa1c7ba03L,0x030ffebfcb4b106L,
        0x39f0e88556cac88L,0x02769b805d4dfbeL,0x34e7abc29e89aa3L,
        0x15f032377de7706L,0x2dcc7c6a4911fd8L,0x12aa1b81a8442d9L },
      { 0x19e67d0b1152e8fL,0x1cf65e4ad78530aL,0x1073f1cb57a22e7L,
        0x272fc76928b8360L,0x2c22b449a03af0aL,0x34b5f4745a6c583L,
        0x098ee4b82c1ac8dL,0x3a855d422b29affL,0x15054992440e3cbL } },
    /* 63 */
    { { 0x0004a0aa13a4602L,0x31c68f434b1839cL,0x2463a6d79bc5505L,
        0x0eb553677d293f8L,0x373d3c7b8e878ebL,0x113b3e95fb32a41L,
        0x24d1795b3bb2782L,0x0abc228c3d87ec4L,0x1155b7e50014f63L },
      { 0x2c42ecc9ef0021aL,0x05ff5fe15b27518L,0x03b82e6478bc580L,
        0x1a45416936c4389L,0x04cd7eea5af0746L,0x14abb42b66ec287L,
        0x09f09de8ba39a2dL,0x3e9901d1d126ad5L,0x13fd5c8f7bd9e57L } },
    /* 64 */
    { { 0x3d8ce7b5a53c22bL,0x0cff35f2ad11a86L,0x24e248acb394787L,
        0x07a8e31e43f1132L,0x315c34237a9888bL,0x2dc0818cdabedbaL,
        0x3508fab913b8a8fL,0x1ccacd2ddf31645L,0x050a931d7a7f9e4L },
      { 0x10a429056d21d18L,0x198c1d56d04286aL,0x0a8b894a6b05826L,
        0x18e0a33dd72d1a1L,0x2127702a38a1adeL,0x37dedc253ecbe16L,
        0x0d1db683ff7d05aL,0x3357074fd6a4a9aL,0x0f5243ce1dbc093L } },
    /* 65 */
    { { 0x3c183c3d37d7891L,0x140527f6197b2a3L,0x03d68f21844117bL,
        0x095681fd9603db9L,0x3ad303202af51ecL,0x019dbbd63f969b2L,
        0x0e000c95de68f31L,0x14951d4238c7f29L,0x159783e5a957773L },
      { 0x01db5712e537ad9L,0x1c44b4d6fa73defL,0x2b48d57f9bcb5e8L,
        0x242a2cf2f1eed48L,0x1e5ecdb5c1eff78L,0x0e1f9fb53cc1b84L,
        0x321e3d30da83923L,0x299f13647f3d1c8L,0x09f8487bb62e412L } },
    /* 66 */
    { { 0x2f5f80f8cb8e08eL,0x34b104925bfb5a1L,0x374360b7dcdf7cfL,
        0x37d5fd3417c0186L,0x2458061f24dbaffL,0x37a65312c664f0aL,
        0x07e0626c6ca8d09L,0x172f3bdc349349dL,0x0ffd4e5d4e3b999L },
      { 0x171e245c6f40077L,0x0b81141c8f9418cL,0x2f7e6a6bfd88159L,
        0x345b6767380d721L,0x03eb5770cba0959L,0x10358f74b9fe3faL,
        0x1e441958eb0881cL,0x07d3558ccef6baeL,0x034fb0397df3afdL } },
    /* 67 */
    { { 0x384e05eb358815cL,0x32cb5390421f65eL,0x188907f05d7a3abL,
        0x355ea7520721e9dL,0x042d64cbd350778L,0x33ca27fa74d33feL,
        0x2b2c6e0859cd5acL,0x02d8a0dcb564774L,0x06bc06d482e18b4L },
      { 0x10695a0da4ed375L,0x2bd620a636abab4L,0x21b4f4b7092c51bL,
        0x2b9e8cd6cd6c0a2L,0x20567efd88ab87dL,0x0c830dd29cd64d8L,
        0x158b307a49fc103L,0x33a6dcdeb2b128dL,0x01ed30696a34c0fL } },
    /* 68 */
    { { 0x1550ab0bd3902feL,0x292d2e1aa74ecf6L,0x20a9975cac379bbL,
        0x0c4ccd81770e967L,0x21afc2c58045e87L,0x3be72fc7cb16630L,
        0x383c4281ff8d6feL,0x0c7560afb57426fL,0x1579d1d9d5b5281L },
      { 0x07da3055519258eL,0x14e7e409f78aa1aL,0x1747d6a230d673fL,
        0x08d7d745a11a7eaL,0x35f7e41f5ab1aebL,0x1a9ffacd6effa51L,
        0x2d5187bd546abb1L,0x14f74abef53a385L,0x1607437be13bcc9L } },
    /* 69 */
    { { 0x1f165a9ee9755a3L,0x35686ae0b26ac55L,0x245aab6b97e60c8L,
        0x2c2ac1789c59687L,0x26db0830f3004cdL,0x16b2f7ae7830ed4L,
        0x1e8498aae1ec1a7L,0x318b904f51211d8L,0x1e9589e09bbb1b9L },
      { 0x35120819c72258dL,0x335cd170564f519L,0x3a7b91c11fdb61dL,
        0x2fe215e4239b189L,0x2530bc68ed1d3e9L,0x2d6d13fe6ab01bfL,
        0x10edd5125c16bb6L,0x36d70e2182edb6eL,0x1aa96fe8b08fbbeL } },
    /* 70 */
    { { 0x23a5dd8f257c0f8L,0x13724b74e84364cL,0x39cebbb8ce03488L,
        0x14e91c98aa40fcdL,0x352e06c6d6217adL,0x0c90a336877c805L,
        0x30c62cf5b723e0cL,0x20b307974e224b0L,0x1fdd9a90f1f477fL },
      { 0x30d27ba1763ab59L,0x1f64f9c8de0fa60L,0x0264945968aacf2L,
        0x0c85c0357560556L,0x303146d9f63251aL,0x196fc3cb3daef9cL,
        0x2323fb6cdcf455eL,0x11d1202a803398cL,0x1496e49e62cd96aL } },
    /* 71 */
    { { 0x2ff0b7e40574c09L,0x3c990cffa03a5afL,0x1352eb237d91b76L,
        0x2ddfb70c4082cefL,0x3424a36dc3c0c62L,0x31b10d7be624e52L,
        0x08d076e9ea64c27L,0x2792cb7f087138eL,0x139cc3852f6a4e6L },
      { 0x238a3ffbb096b91L,0x0b2795cf6350f94L,0x1b118c577558ee7L,
        0x34b711f52d3045bL,0x142e1955f54ec89L,0x10dd1d70801b74dL,
        0x2e9041004aed6a7L,0x0cb2707770ca8afL,0x1fb597417a2ed93L } },
    /* 72 */
    { { 0x00f1981859bae66L,0x23a6c61175f06cfL,0x1c03452a3c1eab4L,
        0x033fe040ce71b3aL,0x15f98d6fe2384a0L,0x2283756f35fb784L,
        0x3e1c06f7a00e3d3L,0x2987d5b765228f1L,0x0d09d21a7d18e53L },
      { 0x1cfdbaf880eb3fbL,0x3f4a5d7a0fdf27eL,0x3d6fa28a74b464cL,
        0x17f7ec4f80d86e9L,0x3232a6128b8200dL,0x06a361b80ef23d2L,
        0x2d6ea7d1fb92c28L,0x06309a19d7eb9c1L,0x11d9b08608aefabL } },
    /* 73 */
    { { 0x3cf6146bbd2f539L,0x14bf01db89ae885L,0x1d18d4be4a67960L,
        0x08a7cfce6a0da08L,0x1433f873a8f8234L,0x05bd15a1a2e11aeL,
        0x1477507a1d3f367L,0x3889b7d80f8a0bfL,0x00377cb02c56975L },
      { 0x275add38c01dd59L,0x04ea7ae7068debcL,0x11044dfc54039c2L,
        0x0181fb83619a42bL,0x1661fc40e202ee2L,0x02c0bd5a25bb7a5L,
        0x2f1a246b4d7398dL,0x1c49732e5a64796L,0x09fd5c281afc13fL } },
    /* 74 */
    { { 0x058c54bd7073a5aL,0x206972187ab1f72L,0x0a39e720201a87cL,
        0x23903800f3947e1L,0x358f199de952a9fL,0x15b300addaf712aL,
        0x3162f31cf12322dL,0x27846d98d398e0fL,0x16984c017ee8f96L },
      { 0x1f433625c89f1faL,0x0a98c2da5ec1e3cL,0x1e5c4b05b7f44a0L,
        0x1453fb79330ccc4L,0x04b025aa4a7ccaeL,0x2136deb4349ba1dL,
        0x31c1fe7d5b77bbfL,0x33480e7bc6aa3d5L,0x18d65eba928418cL } },
    /* 75 */
    { { 0x37866ab8abb2537L,0x3132ed96cc25be8L,0x27ed2a428ad314aL,
        0x18843a7865a09feL,0x089801b4e95d19fL,0x2ba2e08cc7ae5e8L,
        0x1c9642aae77a62aL,0x22e125a4f58a97dL,0x0adff5bfe973e36L },
      { 0x3efae21492b0deeL,0x0fa7ba580b0b3a8L,0x3c996f3b99e5214L,
        0x2c3a4ee3d6484d9L,0x01064c13edd78b2L,0x15ce39ea355070eL,
        0x33b1a4e6b970dafL,0x0823ebdbb305a0dL,0x180dbfa3f4f74aeL } },
    /* 76 */
    { { 0x024621a907a6aa0L,0x1b2da101e1e7dacL,0x0b688168a934ef5L,
        0x34e6e6a4121130eL,0x082541f2070d638L,0x3f222d41a5a32a8L,
        0x2357840c5970531L,0x2533d55937b56bdL,0x097e7e898c7c4d4L },
      { 0x1dc98d96b6ebb2fL,0x285ff1eaa7849b8L,0x0fdbfa2a2c68292L,
        0x032cb86146ed83cL,0x181ca4cfe9c6327L,0x046567562636c99L,
        0x0b8d1994082638bL,0x0c253913cc23a95L,0x0d696399eb844e6L } },
    /* 77 */
    { { 0x200f362b83769eeL,0x0102b0fbf132cfeL,0x388957abd68772dL,
        0x0965029c4a30e4cL,0x3ec242a31622644L,0x168695464271323L,
        0x1c2172d1e48f1e6L,0x1ff51a2f5c3c412L,0x041c8692d2b709bL },
      { 0x2388aa1df816784L,0x23229406f9d7393L,0x1ffb02a678124a5L,
        0x383b69c87826d27L,0x1e67a65eca73299L,0x15b1c6da282f47dL,
        0x05aa30d81e91e88L,0x2efc8debb8bd300L,0x073d94007500595L } },
    /* 78 */
    { { 0x112ac4a010c0ef3L,0x152f613a06c682aL,0x23dc4f3535090e6L,
        0x3ced1f4626a3c15L,0x2f238c09c10dc41L,0x106b3d9c48bb741L,
        0x358520224c16afcL,0x2b9bc732e4cd20dL,0x1271a4b5f292275L },
      { 0x12fd4733ce688b5L,0x19b4df72a71a2deL,0x326e541711d0145L,
        0x3b8f30d06a3f3a4L,0x02122c11fe3ba14L,0x174de6d5ae2ad33L,
        0x122f91c0fa763bfL,0x25696578b4abbc5L,0x0acd4e21b3d31cfL } },
    /* 79 */
    { { 0x013a7791d8e061aL,0x01f9c2b32128c10L,0x0266eb2f636a627L,
        0x085dec97275ab02L,0x170ff35cfe917eaL,0x106262fb76de2efL,
        0x0ae4455008db2b0L,0x3439c3d6293f338L,0x043ed0923972257L },
      { 0x0ad77b3e2e129e6L,0x312a1c3c6f935cbL,0x0dff20056333fb8L,
        0x304a9a4550ebb94L,0x2b8fe2640bc2658L,0x259682be5770332L,
        0x11d99e694eb5841L,0x3721df4eea94fb7L,0x0832df13b208a1eL } },
    /* 80 */
    { { 0x2ad2247d181c3f2L,0x34d6fbccdec8fffL,0x3cba74890672915L,
        0x23ff69e8e876d33L,0x179275686e4f70dL,0x3fc7de7889ad906L,
        0x1fa4e8e80408636L,0x27d8263a12ce73dL,0x0da57aa0be9d8a0L },
      { 0x00cecf54efcea66L,0x3cabb2bf1dbebb5L,0x1a48c91585a898dL,
        0x29c4fc02a958fc6L,0x344b5cb9fb111bdL,0x149883459a1ebeaL,
        0x0b35abc6d5fb126L,0x3134abe54fc6eebL,0x0ed99709370ff94L } },
    /* 81 */
    { { 0x09f56e068b54c89L,0x3305f739cdf08abL,0x283fab089b5308eL,
        0x0a550fef46c823bL,0x0844dd706b0f3a1L,0x3b0b90346c8133eL,
        0x19914a80975c89dL,0x137dc22c046ba4eL,0x0176b4ba1707467L },
      { 0x1216ea98fdfc175L,0x1ff18df83d6c31cL,0x285fceb33a3477bL,
        0x13c088faade2340L,0x351c6d922b67981L,0x304fd47641e1c82L,
        0x2d60b55859d5a49L,0x32acb9a7e142febL,0x05c2499a8446d0cL } },
    /* 82 */
    { { 0x1d581fb73e7bcf1L,0x37987374f05ef90L,0x17ecfa199fd916dL,
        0x1cf05676e5f18a6L,0x2641328301a7588L,0x250aa4613b5de25L,
        0x2ba4bb9672ce892L,0x375ffcfb9161e05L,0x1234fb7a148ce54L },
      { 0x05d80aff009be8cL,0x24e35de37c6e87cL,0x2e84312de62062eL,
        0x1fd81c312e69f88L,0x3a1b5da3748d29eL,0x11c5d14d73670faL,
        0x2b9e671e51bd2faL,0x31a8650262ac15aL,0x049bb584abc49f7L } },
    /* 83 */
    { { 0x1f255301ea470f7L,0x2fe023a49538c2aL,0x29ea71a0038da01L,
        0x385644f2a1c2615L,0x3b8281fdb0d2b2eL,0x063970aab85c012L,
        0x2943abdb5c6eb01L,0x3540695ab19307eL,0x0531aaf64771a92L },
      { 0x279ef4906345730L,0x2aa93a11bcdf0a5L,0x26b01a7c3aab946L,
        0x28a059b7d3be05cL,0x24e04dc3ecb808dL,0x1bb066d3a7ecff0L,
        0x16d13e9e0b61db7L,0x14e11b9fd997bbbL,0x0e570ed8c0786a7L } },
    /* 84 */
    { { 0x2456e58108ce13fL,0x3f163438e5e04d9L,0x284bea3949e9b5bL,
        0x2f1d6bd99f412daL,0x0a891566bea9b66L,0x3d856569f2d35b7L,
        0x2e25201b3cecf0bL,0x297e90c4b1cf400L,0x14b81d768986135L },
      { 0x047bc25841078ecL,0x2a72585e7115350L,0x06094851f8fc75aL,
        0x0fb38d0247da858L,0x088e54102998d4eL,0x36a2b17a6a7d9c1L,
        0x2c230cbf280f885L,0x2ddd71932b2823fL,0x02b0ac864b05094L } },
    /* 85 */
    { { 0x3606e398f5daf7fL,0x2152244249d419aL,0x1c5c08c58a72483L,
        0x343243cfb8e8895L,0x008795f022f362fL,0x1097d6ab258cebdL,
        0x06dbfb71710bd10L,0x2ef370805f817b0L,0x1c8d9c7dc82c1b8L },
      { 0x1b41fdf18b8bed9L,0x20cc238e88c495fL,0x1de77291c4bbe94L,
        0x0ad05122abef3e4L,0x3c44da4629b0b97L,0x06fd428a577f18cL,
        0x1e313190b9c4630L,0x2ab6462d9bdde1aL,0x0f5a8a4e2fa121bL } },
    /* 86 */
    { { 0x0a55109ca0251eaL,0x3bb62c9e9b26c23L,0x0beb5620f528f2aL,
        0x3a2b84ff15a406aL,0x085993c079a8421L,0x346ac35c4d27c71L,
        0x35d90929e083590L,0x299be5b8a4a6ebaL,0x0ce96c2f1f8f599L },
      { 0x0bc4b5112be8bd7L,0x11a83cf19fa66f9L,0x07d34d3a3864f48L,
        0x049cfd0e6076273L,0x026dce5671f6471L,0x00ac25af0caf0c9L,
        0x0682b7f7134ebffL,0x22d655813c02c34L,0x11cfd23d7eae3ceL } },
    /* 87 */
    { { 0x09646cca27689a6L,0x1f710d55905cafeL,0x248eb57cbfccd6aL,
        0x3ed6c6b7f94c2f6L,0x3711d8bf49b11ffL,0x1c39696e7cb6036L,
        0x118a1de879fdf0bL,0x354125d4d060dafL,0x114c8c526bd8cbfL },
      { 0x1fe725bef7388bdL,0x0f6f7f9ffeba9f5L,0x1b897e6de2acf1cL,
        0x26a7afc6fede0e5L,0x36978514681a72cL,0x1499c2bd94995c1L,
        0x157d483925ecd9fL,0x32c090def374a0fL,0x1ceb5d732a7c80eL } },
    /* 88 */
    { { 0x3f9fccecfd376d7L,0x3aacfa99ac21369L,0x0d08d5b91bd86b4L,
        0x1fa2a8c1361ab24L,0x37f866a4faa3d5bL,0x2e04eb849fcf50aL,
        0x0a920695d19fa8bL,0x073774e1e635f8dL,0x073df7c0a69a32cL },
      { 0x22c01bb38315b16L,0x29f226786323e6fL,0x3fb408b6b8531daL,
        0x231a024aa068f50L,0x2836faad4b159e4L,0x11a65cc1dfa4f67L,
        0x17e476d4ed6361aL,0x07e995a72cfd98aL,0x185b69d8183e781L } },
    /* 89 */
    { { 0x0f27eb3ab9cb764L,0x3bf0863af075b46L,0x0ddb0479aa79bbbL,
        0x09027950bd51dd8L,0x1bc699b96b4d16dL,0x3236322b8d70e34L,
        0x23a45d13b2ae258L,0x1301215e705499eL,0x0d9773b73576c55L },
      { 0x220a4730218c299L,0x38a6ce67de28ce5L,0x2009484f414f69bL,
        0x0de68b293511a12L,0x268db7ab3b2c749L,0x0d70d5fc2701dcfL,
        0x3de3f26181f0599L,0x1b82024c4c0f62dL,0x060f3effcd0e0fbL } },
    /* 90 */
    { { 0x23c14beb25d6530L,0x056ce66a5f503dcL,0x3c4bfbf7f6225e0L,
        0x27052d3c3c48270L,0x23f7e8ecf83d8c5L,0x3ac7bc3f3c00bf7L,
        0x1f0c6035d353c91L,0x3b8d0e5310a9480L,0x1b5787128ab7be8L },
      { 0x0937d3ab70110cdL,0x293bf11de446d68L,0x2f5bc53a4c19e0fL,
        0x3cce35427cb1ab2L,0x3e54ac1c6bd3010L,0x13ca8efcfb8aa0aL,
        0x09c7b931ea67c3eL,0x0d8bde93299bbc2L,0x0b05bda2c4f34a2L } },
    /* 91 */
    { { 0x024a071d1f575cdL,0x24ec06948dc60adL,0x36029a2c9d40156L,
        0x22e72452980504cL,0x1095b31c150c434L,0x0bf5258a40915cfL,
        0x10b2776f975fd22L,0x24dee85c1221b88L,0x1f6ac29b8136dbaL },
      { 0x1edef55775da491L,0x14fe78adaab6082L,0x21061bb40d5b259L,
        0x04535449f619a5aL,0x181ead062cfc453L,0x3cedc48cbc8772aL,
        0x06f20d3f3e4f07aL,0x3d6ec4b341ae259L,0x15e241363696910L } },
    /* 92 */
    { { 0x0844fd03ecfc44eL,0x17cb21410ecf543L,0x27dbc9bd059a409L,
        0x3ebd96fb37e697fL,0x1a67961cd239328L,0x2ed77f778c4091cL,
        0x3dc5baea9e39bfbL,0x30de6008adb404cL,0x141bed7aa9b5f12L },
      { 0x16f0059fd94d941L,0x3a7c01f53fc0602L,0x3598779f05e3fc6L,
        0x2cc0120f26798ebL,0x372a198704c40f0L,0x192929c4134bfbbL,
        0x367f1edb773b5b4L,0x2f4a802d9dc3d24L,0x1694f7e03012a9fL } },
    /* 93 */
    { { 0x1f5dd738a9095fdL,0x1e80874f3a15e83L,0x396be5edc767c4bL,
        0x3fc6028202242a9L,0x366f10aab56497eL,0x261e5d9ae615b87L,
        0x280601312988243L,0x2a4a585d233dceeL,0x01207d9076c555dL },
      { 0x3049a011c44394dL,0x097bdc339279142L,0x09f0b1694265f5fL,
        0x3f8426ccfe078e8L,0x3a30932e42c5bd9L,0x1b3e2bc81fca90fL,
        0x366722736abfcacL,0x09ac2b7dfe813ccL,0x0e02f1e92fbfa9dL } },
    /* 94 */
    { { 0x124e4a663be4d4aL,0x15efb59bcf32465L,0x13fa7e7a7ccd1faL,
        0x1aa2317474f75f2L,0x23f251f1e70e8cfL,0x0d5533d6c95e65eL,
        0x1a71090a5ec58eeL,0x227a9a349a35c19L,0x04c7c23d4d20850L },
      { 0x3ae575bbd52d132L,0x236a9ce32073158L,0x2e51e4e63b990fbL,
        0x19ac8e74e1c25a9L,0x0a5d49fed51d6b3L,0x0ea301ebb57e21dL,
        0x286ae2025091d94L,0x3bd68403e116b91L,0x1c21af59d747eb4L } },
    /* 95 */
    { { 0x37bc01edd441308L,0x0d251218c222417L,0x0a74759611cd0dcL,
        0x185308f3998abceL,0x1f8bafed211a712L,0x324f81e4dfcc5edL,
        0x0c52cf4efbb9ff4L,0x360aa203c3b763bL,0x028480cdd2cddc9L },
      { 0x0f1ca0dc3f807acL,0x393f0af41c1527aL,0x0a1491f8bb6c6a3L,
        0x3f4f5b7eb36b4f4L,0x15fb46ffbe3ee1cL,0x37573ef3b91ac6eL,
        0x38e8b75207b3ac7L,0x3446b56030366c6L,0x08452c669f4c7bdL } },
    /* 96 */
    { { 0x02b4747c0ace6d5L,0x32d92ef9ca1eb69L,0x089989bc2614d5aL,
        0x0dbfc171c7bccc1L,0x2d35ac450817fe8L,0x1d6a70f1dcbac91L,
        0x00d6fd7f5fc2163L,0x25ccfedbe786b2fL,0x09a7643c315720eL },
      { 0x32216b4f3845ccfL,0x1d3a0242f016f52L,0x0c74d60490379c1L,
        0x2858d632019e954L,0x1aa677b6dbd7220L,0x1b8b823a0e3e710L,
        0x2f6da537332c196L,0x18c36c0ca1d7925L,0x00c52b274cf9c30L } },
    /* 97 */
    { { 0x2c2e7828ea58bebL,0x013074d997e921bL,0x1fad20b40ff02b4L,
        0x2d8a74f9a9551b5L,0x166c81991fb5df7L,0x38b3f8fbc61a11bL,
        0x10d16bbe690bde6L,0x23a4a5ebae68050L,0x0cb59d81548baccL },
      { 0x105d3adbaf66a23L,0x0dce1d037ec2076L,0x35de4b00f432c33L,
        0x3a01f4e80f9b554L,0x3066bca80e17fe8L,0x2b7fe954a5513fdL,
        0x226ea460c2b96cbL,0x13ff27c06365116L,0x11ed543816724a3L } },
    /* 98 */
    { { 0x2a873fbbd7f8a61L,0x2335c6ef9602ed8L,0x1eb3667f69805e1L,
        0x1855c74f703f572L,0x1783f9bc8ab8d4fL,0x10e62c538b91485L,
        0x1811b536c3774b2L,0x38f0cb6d28d8dd3L,0x1389f7f12972debL },
      { 0x397f21c798fefb2L,0x1bf2d441eea9caeL,0x3760fadbb5689c7L,
        0x39f4cfa9b144befL,0x3236134a51a648bL,0x261624ed04a8a64L,
        0x26ada44a3d81698L,0x2d15d8512563cf9L,0x140b4dfc79b7687L } },
    /* 99 */
    { { 0x3b145707abe5bb9L,0x32ff63947606fa0L,0x1f49c9827affae0L,
        0x1229a1ed550836bL,0x3eeb41733c3a725L,0x0e09f18c20098feL,
        0x23b70e7014fdc3dL,0x1c5a1f4063e12d7L,0x0151d483e00fbcfL },
      { 0x14e3c7c6b578aa3L,0x33a6d74c10f6b85L,0x1e9bb6008101511L,
        0x04bd016b1bd57e2L,0x02008ac7b4ec311L,0x1714be99f99a936L,
        0x0ac2eb73c00d392L,0x1d14fb86e66622bL,0x08fdfa31d9560b5L } },
    /* 100 */
    { { 0x074a0e0251cf8d8L,0x225274107caf4b3L,0x0a4933ebce52d4dL,
        0x145716f36b82dcdL,0x016200b93e1ac5fL,0x1e4dcdbb4fb37f3L,
        0x2e69402506a266aL,0x3e4d56168722fa9L,0x00e081cdd539190L },
      { 0x15f995653e28412L,0x149bcb6c9c592c1L,0x25eb1df3adc70d1L,
        0x32b74d77b773558L,0x1a838ffe2d2c453L,0x30339627b510a12L,
        0x19b609ad20c1375L,0x3ec1cb57eea06f6L,0x1ad5be41dcc622eL } },
    /* 101 */
    { { 0x23af6678f850756L,0x0deab94bced65d5L,0x0a53796842f586dL,
        0x27fdd0fe65c434eL,0x193f1a8bacdaaf9L,0x027df364be9d579L,
        0x10650b1af04e154L,0x3f6698efe682b5bL,0x00e67b1cead55abL },
      { 0x260a8e0b5f43178L,0x3504b6730d6cccdL,0x3a63880f680856bL,
        0x198b988b1c4f5efL,0x36ff824457f372dL,0x36c13946b5edef9L,
        0x115c8d0f2bde808L,0x00bcb879e07f92fL,0x1941f475bfbb8e5L } },
    /* 102 */
    { { 0x1482bf9d63543ecL,0x32d9f2845fbcf9eL,0x0638160ccc63985L,
        0x355ca6f707a2b14L,0x1a22686df556cbeL,0x207addf358bb65fL,
        0x3a2ed9b124cb5fcL,0x16e5935ed3d99cbL,0x17260b29aa77833L },
      { 0x1bfc7b6a43df7c6L,0x32b08ef081c1b08L,0x37bc345d958085aL,
        0x34a8ca822f3adbcL,0x2d1953c5e9d8f20L,0x13da0343c22493dL,
        0x29912c7d25d7c6cL,0x19131939a88dcb7L,0x0ebda1c06c452ceL } },
    /* 103 */
    { { 0x2677c5c411dd110L,0x1e1ea8b26471289L,0x2a41a45666d60d6L,
        0x2ab057e7c554ef9L,0x30e0cc7b273e716L,0x29892ac2a4ee18fL,
        0x39c260a40571172L,0x3c4c3979d95b868L,0x046af8d78b52ef6L },
      { 0x16214b170f38dffL,0x1760a048e84415eL,0x04d4957ed8123e3L,
        0x2e83698058411a9L,0x154f84413618fa9L,0x27aa56af9f374a9L,
        0x2a30b4f1c2563e1L,0x26aa7111678532cL,0x183c748add661ffL } },
    /* 104 */
    { { 0x2981f399de58cafL,0x2e03f61d4fa990cL,0x1f242d11948605bL,
        0x0180fbac02b20feL,0x17c73d79cf490cfL,0x0935186d00dfc94L,
        0x2420cf844209fd7L,0x23e89ac0fdb489cL,0x1526f4bd29eb343L },
      { 0x24d034ac389e51cL,0x2957a5b6df663a5L,0x17dee913c583acdL,
        0x1effac0d102cabaL,0x09d461e29079307L,0x10efe2faa85b8deL,
        0x3d8c3fb0a675330L,0x0977275d2690ae9L,0x0ec7c41e6d66bb9L } },
    /* 105 */
    { { 0x29b345dc5da8398L,0x1a107eece310c0bL,0x05627c3bb47abc6L,
        0x0adce34b37738ebL,0x3687311858fbeb1L,0x2f53d3d352f0ab5L,
        0x0e1b0e9521db1cbL,0x2f8f8a9a432bbf9L,0x194375215eb7bfeL },
      { 0x0b234f12edfd661L,0x26613bb54b07d13L,0x3260d8f8f98c014L,
        0x391ef8e1640cb49L,0x195e8b672fe76e4L,0x0ac03a0950d61cfL,
        0x161eb8916c397ffL,0x06ef8ee6fdc16ebL,0x0007ee90182ae13L } },
    /* 106 */
    { { 0x36fea9e93fbcb5cL,0x2f960e7ea14a6f4L,0x3125fd611ba0382L,
        0x1ff362898dc2c90L,0x23d8d4704a59ae3L,0x13106de6ade3183L,
        0x249cc51bac243d4L,0x1fa7f10007fabb6L,0x0f6988ea44a83dcL },
      { 0x190caa4f077f79eL,0x05d807678964353L,0x3bb3d21b4b77f4dL,
        0x18240df86d8477aL,0x2135becf0031b3fL,0x0a40f76bc44fb60L,
        0x319296f6c01379fL,0x2b614daf79f2a9bL,0x06c57d3b6849dbbL } },
    /* 107 */
    { { 0x23fee389abfccb0L,0x38a892e59db98e5L,0x0f0284ba6d276c6L,
        0x2e919614f47e1daL,0x11b8ab9b6c38ba3L,0x1e81ccc5b8eacdbL,
        0x233f3201fc97424L,0x379ebf7505c6094L,0x0214dacfa81ac61L },
      { 0x25a9f37eaa3198cL,0x228d17f22e6754dL,0x312ad4f5ecbccbeL,
        0x180308dd452909fL,0x228a27b05e841ffL,0x0a167fcd767a316L,
        0x0bde372d3774446L,0x16fe0701183ffaaL,0x1810a0e49a129cfL } },
    /* 108 */
    { { 0x08203af45843c3eL,0x078c0eaafaeb9daL,0x08f3624df62b460L,
        0x22b48796aa0e5ecL,0x39a242b0e568734L,0x0a9db1b4b3c4b1cL,
        0x2751a2c848ed013L,0x0b416dcaa870bd4L,0x0f3b63296c392c0L },
      { 0x24b42adc6f3d1f0L,0x37314cbd4cae533L,0x333583443d9c2f0L,
        0x3bb7237672d5e04L,0x1ee87192fb50118L,0x15d06708c0e7869L,
        0x396b0c9977267d5L,0x30d6918bbe930c3L,0x1f7454fb7963cd3L } },
    /* 109 */
    { { 0x0f281949d153926L,0x0a32460ad5d5204L,0x3b30509e94c942eL,
        0x0ab7a75ad5d2d08L,0x18b3ca314c5acc5L,0x18f56f16a9d1b0eL,
        0x0cc9890f4ea307cL,0x2465109554e8b87L,0x08e271198bff76dL },
      { 0x3900e463c8e672bL,0x19d734fcb7f09f1L,0x11f7af2163c9703L,
        0x021eb3aaac1c125L,0x17e8d236974d699L,0x04f7045520bc86aL,
        0x36cd13dcfbc1dc8L,0x2bfc8338af20013L,0x03f2a54662c82bfL } },
    /* 110 */
    { { 0x1cf41e61588a8bcL,0x23343884314b2c3L,0x22bd758e7a456f4L,
        0x12d22e6e55cce15L,0x3a6b89b9e1600d5L,0x263320bd1877e02L,
        0x177147f7fd4f170L,0x317e459fc073452L,0x048b13385116116L },
      { 0x2b763335d2617f0L,0x295dc9bb2e181b7L,0x032d1b91fce93f9L,
        0x22db212e65ea4f0L,0x1823ca5bef7a438L,0x168cbdaeffa0089L,
        0x0b5c586f19c0283L,0x07767c9b356b78fL,0x1e77f5ddc776d0cL } },
    /* 111 */
    { { 0x09feec86ee764c9L,0x3b20dac1f20b30fL,0x32e6a005b142d1bL,
        0x28ca7a297a9afc6L,0x23ffe241c70ef51L,0x0a59b0a145f4a63L,
        0x3acc76bb389e287L,0x086d4e8b6a2a4b1L,0x04a902c9126732aL },
      { 0x2c51b9c8f7ce110L,0x0cea1ebac0dbc65L,0x10980a6a59e2dccL,
        0x29f9e36d40209a5L,0x0c95bb030ceaf26L,0x1310bd0a0bcf0e1L,
        0x2c4a0a6dd6e9f72L,0x0bbf1da3778a5c2L,0x16f4aedce4b03d2L } },
    /* 112 */
    { { 0x37f032aeded03c0L,0x128149623775341L,0x3c4f9a85be0f268L,
        0x1ff82e6daedb426L,0x2f2fb5887bdda0cL,0x30f339f865a271fL,
        0x0d2ae5f8a96960eL,0x0866ac10f6755daL,0x06829c8081bdb21L },
      { 0x3f872fade59f006L,0x27ff1b2e5fbd69aL,0x15db58ae7ef8c2bL,
        0x287d332a87cdc64L,0x289c27cc4c2e23cL,0x21af73186be3183L,
        0x18de43eee5d7e7cL,0x3c22e4896d1fe6fL,0x0b453e7f4634b24L } },
    /* 113 */
    { { 0x0c496d0e3048bdaL,0x19d2650f0f79395L,0x09f74c2d509ee2bL,
        0x07950f14226b081L,0x3105a365bb01f69L,0x22c5c1273665828L,
        0x2c946734d93ffe7L,0x29d540a7e66cfe0L,0x091785c5ea20161L },
      { 0x055f978953dbdb6L,0x3a13665fb2867edL,0x102936d4d75aea9L,
        0x2a30549dbe91cefL,0x347c76356a9c17cL,0x0e5ce34a73d984cL,
        0x3336094a68360b0L,0x1fc874f90c2a1a5L,0x1b40ae532dee2b2L } },
    /* 114 */
    { { 0x0110e825164cb8bL,0x26bd3c954a99f5aL,0x2d0e8d185527697L,
        0x21fed93ab138435L,0x3ac424592cf6c57L,0x33836042102058eL,
        0x04c15c5d8fff37fL,0x0fb262ca139276aL,0x010ed8055673266L },
      { 0x06f403051f3ee9eL,0x38fba6ce2b7c784L,0x3a6ea13d64492e8L,
        0x1160386aec74f21L,0x10bfd729827b49fL,0x3f1e8d7f0a0f45eL,
        0x23ad4f8fe50fa5aL,0x077c9dcf69516b7L,0x1f878bfaae4d9a2L } },
    /* 115 */
    { { 0x260d8e8abad5678L,0x29cb3b9803096ebL,0x20b44c288e210afL,
        0x1db49533e7ee753L,0x0959e2ba564447fL,0x25844cb07ecdaf1L,
        0x140f19393c44d72L,0x199235ea2207ff0L,0x09127a861288d09L },
      { 0x136c0218a9e690cL,0x331487aad3e856dL,0x0423b00ee54c85dL,
        0x096bcea392026bdL,0x0b7731d85b37935L,0x1073ed5787cd8c2L,
        0x3c4529b5361d781L,0x098d3a907ca7bbfL,0x0e8cf5755b19f7dL } },
    /* 116 */
    { { 0x1edb80dd212b398L,0x25860754f74dcc0L,0x20478a52fa95d03L,
        0x0ca9e0979b43821L,0x1330ece4fad1e64L,0x01e24dbf80616f1L,
        0x3f6ea3508f7313bL,0x1ad8077260bf679L,0x0e8dbf3a602d555L },
      { 0x3763234279e05bcL,0x3d03b3d1114f4f0L,0x1f4d7fa307937f5L,
        0x0d84235f888c431L,0x3c2a98bbc5cffadL,0x1f51fe03cbc07bcL,
        0x322e1c30ab1719dL,0x37e51ef27e462a6L,0x1f9f53dc52ae834L } },
    /* 117 */
    { { 0x266b49ec183f89bL,0x2d7c097d601b53cL,0x02b594ec3080d3fL,
        0x100dc73645f4c29L,0x3b7f7e26d4b6b19L,0x356ded93dd506aaL,
        0x0036c5e55269eb2L,0x099d4386a1705feL,0x1cea0ff0f22da5fL },
      { 0x02bd56a3a8e11f8L,0x190087d7e6ad518L,0x2c5a0ccc92d7298L,
        0x39948fd942f19d0L,0x3f7fabfb4d64569L,0x0f279b2f2391a06L,
        0x35ff20b4275947cL,0x2ba88ace54b54e3L,0x1b0818f8e381f04L } },
    /* 118 */
    { { 0x3e5bffae50d90f0L,0x0ec46fd4047370eL,0x2711a691dfac4cbL,
        0x0753a869dcf8432L,0x3e586eeb662ec21L,0x030bc7f56a5e7aeL,
        0x3bbfea4df16ab1aL,0x09bdbfa78fdfb15L,0x15e1b05960e5ae5L },
      { 0x08e04a58630e62eL,0x00c439911f86dc7L,0x2b6143b4447a3d0L,
        0x145d18b9e8f3c79L,0x00002724d92abb8L,0x114a5b7e0c27a82L,
        0x0ed8121d805d70eL,0x351383ce126ccf5L,0x0962d6bffbc6834L } },
    /* 119 */
    { { 0x13fe58d48e07711L,0x20d92349c28ecb4L,0x092d8cdff04c70fL,
        0x1e145047c50545eL,0x03e4f8a5515bb65L,0x104cd8bdb0c7364L,
        0x206d4d73f871520L,0x0c5fcbf8097bbb2L,0x0ad32a6e417954eL },
      { 0x238c63f69d147dfL,0x2ec1b9c42fcdedfL,0x2bef28d514deb69L,
        0x3ee34470f66e537L,0x10385c6044b2307L,0x1e003a0cecda77eL,
        0x101c1c68ea2f49eL,0x1e063c0a2c961f5L,0x055970782215cefL } },
    /* 120 */
    { { 0x0c351db54c1d751L,0x114c06e83e54484L,0x334fbfdc8bed814L,
        0x0e33c8da02a9dfaL,0x0e04f2860498d81L,0x1a96db6a4a30529L,
        0x1a910396192dba1L,0x10409277aa56d7eL,0x08580dd45780172L },
      { 0x10725000e09221cL,0x016c87c877815baL,0x2fa1e0e6095062eL,
        0x1edbddd44a51232L,0x1f1f34aca657fb9L,0x27fc575974a646fL,
        0x09ec79a66cd5ac4L,0x2baa37075a25f41L,0x067388fca84e72bL } },
    /* 121 */
    { { 0x120b49da6ef1dd3L,0x281178ee9b35d99L,0x180af33d5f48391L,
        0x2cbbc1d1d2a7212L,0x278bfb1eae53cf5L,0x36a41bea8d6cba6L,
        0x1f2cf4eca97fd6eL,0x21627c6a4de246eL,0x10d667533693ab2L },
      { 0x351049673691fafL,0x0f4ea755fb18616L,0x21bb930a8525dc7L,
        0x07902c16da5f8a4L,0x3413bedca094f57L,0x3469ae617a5a805L,
        0x2de8b79e7d4f728L,0x115355450ff68faL,0x0fb859b8444d16eL } },
    /* 122 */
    { { 0x022083e7c667aafL,0x1172e52a4732e9fL,0x19318ca0e94a335L,
        0x08f93aa831f287aL,0x242f56844c3afffL,0x0354b42e886b10dL,
        0x1301d4fcc68a8b6L,0x2f3850069616daaL,0x0a3547f762c907aL },
      { 0x3dd3ed3fbe260ceL,0x1dd4b6037007e98L,0x375d6f1da3e4271L,
        0x1294987c43b57eaL,0x3d20cd6bb5f1686L,0x086b195af9ec7d8L,
        0x3b918e9d638c102L,0x0bee0c4dee3d99cL,0x17423eb44384adaL } },
    /* 123 */
    { { 0x14e27c42a1fbcf4L,0x34a16d7eb357b86L,0x2bdd915e66074c0L,
        0x043bc29aa69d70bL,0x1067cf4581e6965L,0x2fb87ee84f16be8L,
        0x1279e72be013c17L,0x33d6616901b5b6bL,0x0310042951d5142L },
      { 0x2735ec1a22bbc45L,0x14e469fd5bd361aL,0x39d0236001de4eeL,
        0x146a8be3494c16bL,0x0187db78aa8b218L,0x06a2230c38b0db6L,
        0x3e7d5bcfcc083faL,0x3408ee476adfef4L,0x0f462d85460f4fdL } },
    /* 124 */
    { { 0x168ba024972d703L,0x132874e426280fdL,0x2542ae28c855fc4L,
        0x1816c6d14dba6e3L,0x34c7f7e484fd4f3L,0x08c208f4b822c1eL,
        0x09fd13042f3b982L,0x20d6727ff4c4c62L,0x1bb56af0652c6c6L },
      { 0x1bf05e206e0f16aL,0x2b0beb5d191297bL,0x0a980f92c71afc1L,
        0x35cdb2002879668L,0x2236178dc13ae37L,0x2d1bbc417c83bf1L,
        0x2509e4443a58b82L,0x366c32545f73d10L,0x1667d0bb415640eL } },
    /* 125 */
    { { 0x2a30a613d22842dL,0x3803d6cf13b380eL,0x0f876df82b798c6L,
        0x1b5e34823161d93L,0x1e788854ada92d8L,0x166c2650294b4e4L,
        0x05fc9a499b26fbaL,0x3c4d17704ceb413L,0x1dda5c0926934e3L },
      { 0x30dcac2fad6d673L,0x3f7c1403cecff9bL,0x1941631756e96d8L,
        0x24c2936038fb39cL,0x231d130013990f4L,0x156058e3cab2a4dL,
        0x1d5679ee91966c7L,0x07369b7c3d5d39bL,0x111be124868ccd7L } },
    /* 126 */
    { { 0x244c726475cc1b4L,0x3f0be4adce5e33dL,0x26d10e3d7eb7915L,
        0x06bd030e381969fL,0x1e1ad24fcbb44e2L,0x0d581b9662198aeL,
        0x0f93f7270ba4ddcL,0x2935f0e0d28b069L,0x02193d0c9a23362L },
      { 0x2cb7b8cf769fd7fL,0x176a5e26884ee78L,0x0c566b910fef181L,
        0x0249a4c50e1ed3eL,0x1925b37c02088b3L,0x1a9903951dedc6fL,
        0x21c6efa049a9212L,0x15acb4f77c6f7f4L,0x0649b5f9d7d232aL } },
    /* 127 */
    { { 0x240adf8679a9c35L,0x36638f2dd35e5b5L,0x0ebb5f8e9dafcdaL,
        0x13ab5281cf1192eL,0x22edde557473861L,0x1db382e6f61b03bL,
        0x15fb96773317385L,0x2bab66d74cc9d02L,0x13672f0aeb3ee09L },
      { 0x388c76d64e54ba5L,0x39ebc7711d34868L,0x29d1b2a7708163fL,
        0x27b784902b5fe8fL,0x2c720303a0447b4L,0x1af4084f67d92d9L,
        0x203ea5b1c78029eL,0x174ac72bc71c02aL,0x103179180eb3bb8L } },
    /* 128 */
    { { 0x1bf4f9faf2ed12fL,0x346793ce03f62abL,0x3db5a39e81aece1L,
        0x08589bbdaf0255eL,0x20cf5b28df98333L,0x00e4b350442b97aL,
        0x067855ab1594502L,0x187199f12621dafL,0x04ace7e5938a3fdL },
      { 0x1c5b9ef28c7dea9L,0x3e56e829a9c6116L,0x02578202769cd02L,
        0x0225375a2580d37L,0x3b5dea95a213b0bL,0x05f2a2240dcc2dfL,
        0x1ba052fe243ed06L,0x25b685b3d345fecL,0x1c0d8691d6b226fL } },
    /* 129 */
    { { 0x22edf3fbf8015c2L,0x208db712540b62aL,0x36e0a6a43157e7fL,
        0x0968b412c33a243L,0x1a809dbab318ef3L,0x299f288673019a3L,
        0x3ebc49dd26937adL,0x261123c9f04b20fL,0x02987b3db2f3c9bL },
      { 0x3e7aed0fd2e3dc7L,0x3a2f6dd057f554dL,0x2c9a58a45f25498L,
        0x2e882721743f035L,0x2d579e1ee83d5baL,0x140affb4c7b2371L,
        0x01bef11f4cad0baL,0x3299710cb9b387dL,0x1913b10afaabbffL } },
    /* 130 */
    { { 0x19f7df053053af7L,0x011d96ca2873d2fL,0x38fc7ce90438603L,
        0x1bab2317775105dL,0x3fb59ec618fbed3L,0x06c6fb3c9ec4c4eL,
        0x1973a99d2656ffaL,0x2d654cd384d1651L,0x18c3261888cc362L },
      { 0x013a414aa7f6ff8L,0x2bae20feadf1ebdL,0x086b7cc307ba092L,
        0x0948d18403be876L,0x302140c93dc81c1L,0x184120d64f5349cL,
        0x1795f3a1ed7e3ceL,0x3505b8ae47b3f7cL,0x191160dc11a369eL } },
    /* 131 */
    { { 0x272f46e8b57d7ccL,0x02c3952fc08e1a6L,0x396e05b3a91d314L,
        0x2a693b09b8221b0L,0x3c50f58e91b9ab3L,0x1789abc1d0bfabaL,
        0x1cd9f71592c6085L,0x0b22650f351daecL,0x17c3ed97fd4c7f0L },
      { 0x3b02503e6d54964L,0x34458b1a8c63014L,0x2cf49cc28c22d9bL,
        0x1000d4d190063fdL,0x2b4cc0668a45c78L,0x10b6f80e3a8ccd7L,
        0x36c3cd7ad727f8fL,0x0b5dac55fa447f7L,0x1b3a7f894c9ec99L } },
    /* 132 */
    { { 0x1e6e397af09ea77L,0x1d82e5d77097164L,0x0c08b94a197b26aL,
        0x2a2da3398663010L,0x15bd23564041bacL,0x25deccfe8668345L,
        0x3bd02986ca5b94dL,0x07e67cc7e1fe397L,0x0b8f76c55a6b190L },
      { 0x35bf8c33846ec9fL,0x08817277ab29185L,0x1ec0a3108df0f46L,
        0x20f3ebb64a24b2dL,0x065049fb2879db2L,0x1bb940c51df7001L,
        0x2dce4548d24bac9L,0x1a13e9f6dac595aL,0x0fc0110cdabab1cL } },
    /* 133 */
    { { 0x11b66d84d308bf2L,0x04f27f598e00105L,0x1f92fd383bf9990L,
        0x210fff23bf1a24bL,0x0313ea287a10efdL,0x2837dd0149f8c5bL,
        0x2bd2a18ef6e3cd3L,0x3933b2e5b90c3dbL,0x18cc1ebecf2a70eL },
      { 0x0d14ad71a70404cL,0x087743e738a8c20L,0x3cde3aa3e0726adL,
        0x0458d8e9a42e532L,0x1c6b1e2b40ab596L,0x1b3bb16f9c2ffd1L,
        0x3757c01296dd0b6L,0x247a3532ca9d1d1L,0x0aa08988ca63d7dL } },
    /* 134 */
    { { 0x22dcfcaf8db0396L,0x3a3cded08b69daaL,0x034996485724e8aL,
        0x311efc524fd94beL,0x2b0247a4ef647c3L,0x2baf6a3a2d802d1L,
        0x158df0abf3e4397L,0x2eac8b8748c7e9eL,0x0ef38e692b1f881L },
      { 0x33c168926cf3047L,0x053e51654e61607L,0x1d1c293f20b6dadL,
        0x1bbd5eaec5ff7a1L,0x01794de382ea543L,0x2ffb34bc346a3ffL,
        0x3860429ba508e22L,0x0c7e0443c29ff6dL,0x1962ade6f647cdeL } },
    /* 135 */
    { { 0x196a537fec78898L,0x2779cb783e9dff2L,0x36acd34cb08f0b3L,
        0x20b69e34d4fdb41L,0x3a0392cc1acd8bbL,0x160552757fa0134L,
        0x27c6d9ab7adedeeL,0x0fcde20e4068301L,0x1915855ffa24ed9L },
      { 0x1570e36bf9ebef3L,0x011a977d2cc5dcaL,0x1a95a6816b5ce21L,
        0x204a2343847e6e2L,0x13979159aadf392L,0x323eaecb5aeaaf9L,
        0x07af10411afee05L,0x38defc64b0ebf97L,0x0f7aa72e81cd7dcL } },
    /* 136 */
    { { 0x0fa3c0f16c386eeL,0x2c11a7530260e48L,0x1722876a3136b33L,
        0x248f101b019e783L,0x24debe27d343c0aL,0x25bc03abbc8838fL,
        0x29dcff09d7b1e11L,0x34215283d776092L,0x1e253582ec599c1L },
      { 0x08ef2625138c7edL,0x10c651951fe2373L,0x13addd0a9488decL,
        0x3ea095faf70adb9L,0x31f08c989eb9f1eL,0x0058dda3160f1baL,
        0x020e3df17369114L,0x145398a0bfe2f6fL,0x0d526b810059cbdL } },
    /* 137 */
    { { 0x049522fa0025949L,0x36223c2ef625149L,0x2f5fe637216fb26L,
        0x1911ca09fd8cd10L,0x399fc2681d8ec3bL,0x231dc4364762868L,
        0x1b27626d232ead6L,0x27e9e396ff8bf94L,0x0040f9f4fedfd10L },
      { 0x152ea516b4a05e0L,0x3523bbc871e3ac6L,0x26191997dfdbcb0L,
        0x0122d3087f5934dL,0x2be92303a0d11b2L,0x2317a0269bd5a6dL,
        0x005d8e2b8f60967L,0x27289c89ad6acdaL,0x1bdd6cff180db34L } },
    /* 138 */
    { { 0x09f8576943cc612L,0x10c67a0cacc71e9L,0x2297cccadebdc91L,
        0x10ac18660864897L,0x025b1cc7c4918fbL,0x191b97c2b32cc21L,
        0x0e3e22751d3347aL,0x00023abed2ab964L,0x151821460382c4aL },
      { 0x02481dbbf96a461L,0x048ba6d4a8ee90fL,0x058e464db08b51cL,
        0x1e1b5a82074870aL,0x0f533cef7b1014bL,0x05517df059f4fb5L,
        0x1b7b9f6cfb32948L,0x30a67a91b4c7112L,0x081cfad76139621L } },
    /* 139 */
    { { 0x3796327478a7f0eL,0x060f8b785dc177bL,0x26df572117e8914L,
        0x026df354b3f4928L,0x3ad83c1603cdb1bL,0x027be326790ae7eL,
        0x254ccd6971d2ea7L,0x083f06253f16e3bL,0x0fcf757b4e534a5L },
      { 0x25518cc86b62347L,0x072749ef0aa4a16L,0x2b052966727fec5L,
        0x0e82b90f9bcbba8L,0x205ca066bbc8a8eL,0x20ce61b6014d6d7L,
        0x374cdd91ffcdb18L,0x0890cbd296ee8c8L,0x12408763a490d20L } },
    /* 140 */
    { { 0x098b9724efac14dL,0x12fe369e6a74f39L,0x0dbdd6e07c29b6fL,
        0x3f5c5dc54e03c7aL,0x271b03263fac30cL,0x26d157d53247b48L,
        0x3092bfbf9383351L,0x0ef65da979e2449L,0x128a97674e1b481L },
      { 0x1b63c41583e5924L,0x26bfc63c5c7418aL,0x33cdab227a2861fL,
        0x36a2846adc0ad16L,0x0e8db6971939d5dL,0x3b042014afed1ecL,
        0x0e1801562379df0L,0x12aeabd69920493L,0x1508d98c43434f9L } },
    /* 141 */
    { { 0x2a9fe73cfffc80fL,0x38ba6f50d1cfdb7L,0x3ed3c9d37ba7e23L,
        0x349e8ff0d5c9fecL,0x38e04a03d733766L,0x2ef83d0f436d33cL,
        0x186f4f8ce017522L,0x2c0df61fadc676aL,0x1536d1b50ae2fe6L },
      { 0x31f5defda40bab1L,0x1aa2be6caf698cdL,0x1c890d4aca8707dL,
        0x3fd90ffe2ad7a29L,0x14bf8ec2f4d72f0L,0x3ae4f88a7130436L,
        0x2dfd0136b0eaba0L,0x2820af12c3a3c74L,0x1429f252e5a9d34L } },
    /* 142 */
    { { 0x2ffd4c17d0e7020L,0x1a6aaad52085a12L,0x1708588f348f9b1L,
        0x3fe21661aef6f80L,0x115f9c381daebf6L,0x12a529eecce61fdL,
        0x2d68497e455f2c0L,0x1e630e690510a83L,0x1541c1ad4a61ef7L },
      { 0x247b628072709c4L,0x035a2e204397f9dL,0x0874e92e0f63b33L,
        0x2e7e2faa6eb46f6L,0x08318981a144e4fL,0x1a31a81f056bf06L,
        0x200b66e19c5c82bL,0x1ebb216315e88dbL,0x0119b25511007cbL } },
    /* 143 */
    { { 0x21ced27c887027dL,0x03ccd4afeaca184L,0x3c1c19d511e2605L,
        0x2a5fd31a7d5b8dcL,0x325226bb402d4c3L,0x0f9eb0c39bcd5abL,
        0x18fdfb3b9011c38L,0x28d8d0ec308f4cfL,0x00ba8c390f7af2eL },
      { 0x030c3d67e851bacL,0x070e2697d513f31L,0x3c6467fba061899L,
        0x13a5f2f6fd001aeL,0x17734adadd49d02L,0x232db4a914e6df7L,
        0x24b3ad90ba8f9f2L,0x1a4a1ea4860c137L,0x06ab28732efa7b9L } },
    /* 144 */
    { { 0x1dab52d22ed5986L,0x3989e9614cf819cL,0x237acf155fe3deeL,
        0x035eba2c4cba3fbL,0x134a08b94cd6149L,0x270570c09c1b861L,
        0x25ad46a85ffd52fL,0x002ef568893cd46L,0x1e644d1b6d554d7L },
      { 0x2830686862e4e9cL,0x335db121d8ff925L,0x1679c0839caafe5L,
        0x3ae360f58b580c2L,0x211bc4ae2c0e4cbL,0x13f2818a4478953L,
        0x22704596a0d7c86L,0x104b3d5e17757a6L,0x1be2f4677d0f3e0L } },
    /* 145 */
    { { 0x00012ddab01a6dcL,0x2f5b06b86b6da53L,0x1aecb9b05079391L,
        0x2798a84187ceb9fL,0x3a96536b7c2714fL,0x385d952dc65e3b9L,
        0x2b3dd4eec11bd05L,0x2fd871c459b83beL,0x1d70f7aa57287edL },
      { 0x2ea6f7d51eb5932L,0x3a82a97e20b2909L,0x20977739f7dc354L,
        0x0aa6f95e4d05d6dL,0x378545eccd33519L,0x2d90f2766007d08L,
        0x23abec32b8e2567L,0x19426e504775c8fL,0x0ee656dea68cf1cL } },
    /* 146 */
    { { 0x138e140a0890debL,0x2f61f6f3ae12f53L,0x3f72ba041decbf7L,
        0x02a9a082fa547c3L,0x38c486298afeec7L,0x1c043b11d546428L,
        0x3879b1ecdba558eL,0x085733b6476e231L,0x14c08de3e4cef5eL },
      { 0x01534ed16266da2L,0x0c8baded3240267L,0x0aef699276889ceL,
        0x1fc170a1134df7bL,0x31ac519ab652509L,0x168f321b48edf84L,
        0x0c4575682ebb726L,0x14dcc314c76e58aL,0x0be2e00e8b87380L } },
    /* 147 */
    { { 0x007c80057ed32e9L,0x39033df009265ceL,0x2abbabb54830427L,
        0x1bf3a082fd16141L,0x3b2c43e81564977L,0x3fbd9922d4d4ca4L,
        0x3bdca5671e8353cL,0x3f5e49c85f4fe40L,0x1dc40a9c109a813L },
      { 0x3eaa6c33db21a38L,0x088b875cfbdf91aL,0x04e7bd1d507fcaeL,
        0x19161e9deac7fdaL,0x20c64a4d6f5bac6L,0x29f0de29631d3d8L,
        0x02e4094ca837d96L,0x3853fd0f7d4c4f9L,0x13f8a9a4347fb49L } },
    /* 148 */
    { { 0x1ab4edf992f8923L,0x2a9781bf4827ce1L,0x1b871b1340eee24L,
        0x07e4782ed009efaL,0x2f3d4c62c2957d1L,0x1ffdeabd096beb4L,
        0x14cbe92d231286cL,0x0d4a65904acac04L,0x19f6706a231c3e2L },
      { 0x2b3bbd2225c02afL,0x2f0598fe8fa6341L,0x2b75b84f482e53eL,
        0x084aff1577e9b7cL,0x0512a73da912b45L,0x354faa90c2f6f50L,
        0x27fd53ac0f43d93L,0x092d3f0d63f9030L,0x0a32cb183be9194L } },
    /* 149 */
    { { 0x39b0c2d3fa6a746L,0x29e488756892a38L,0x091478cdf2b5e84L,
        0x1f4c199b2cdc296L,0x2f6d71d068a8806L,0x01974612c269c27L,
        0x1c944850007a3e0L,0x24eb1c11abd2ee3L,0x1fd2b6a3129c654L },
      { 0x3d5d5bde45f2771L,0x0ac22bd0cbb6574L,0x00fbf232a6bb854L,
        0x10fa2fb32c8bb35L,0x2bf8e247f0fcb61L,0x368c0e6f3b3144eL,
        0x02a0df955d56f78L,0x3f8aa455f18655bL,0x18ca6d35cbf3031L } },
    /* 150 */
    { { 0x1800b1bbe0c4923L,0x2b9d01a40a41ef7L,0x337f957bd0c7046L,
        0x2765957e2e08e62L,0x2500f4150aa8e1aL,0x00b9ebbb34a49feL,
        0x29692e826a9c6d2L,0x15df2d33d62ce7cL,0x11f3093868cbf41L },
      { 0x1cb5e7a333ed442L,0x3238be41bfbdeebL,0x01233d98f228ae5L,
        0x369fff84970b66cL,0x1ba2318354632f2L,0x0b4b14496521dccL,
        0x17d9c4a0caae5b1L,0x003dafc03996261L,0x172c5d1008654f2L } },
    /* 151 */
    { { 0x09540462fc283e0L,0x0ce611fb8220396L,0x340eb7fd1622f76L,
        0x07bd66317b7ebc6L,0x37e00d9bbecf515L,0x2310ff51ad364bdL,
        0x11d1d27543e3b3aL,0x2db4ce65384b194L,0x0c6dd841a1daf05L },
      { 0x3da17e023b991adL,0x0ac84dc7ee94508L,0x2c5a0ddc1879aabL,
        0x2b57d8eb372d05fL,0x01e2a7d50173bc8L,0x041b4020bf3d484L,
        0x3012cf63373fd06L,0x117bc7a084779f6L,0x18ca07766d95765L } },
    /* 152 */
    { { 0x24347b9af80dfafL,0x2d8c7e71199fce3L,0x1b266ddbc238a80L,
        0x196aa1c6281bfc7L,0x0af31c35f6161e3L,0x31a11ba39fdeb24L,
        0x0175b4c03831d1fL,0x1cc68799a7441a1L,0x0c76da9d620934bL },
      { 0x01f597ba3e4e78bL,0x137b7154267e6a6L,0x399593088c612c1L,
        0x01e6c81d162fcdcL,0x3a22769007c5683L,0x1f9b6bcf1110311L,
        0x129103b6df23c8fL,0x1e58d3d98b0950aL,0x0f9f4ea6db18b3bL } },
    /* 153 */
    { { 0x269eb88ced36049L,0x13ff87d06e67e31L,0x35636a72e10887aL,
        0x2319682ee29a42dL,0x096e4295567dd6aL,0x2aaffeb50b3e316L,
        0x2f26a45286b5f31L,0x3940c7df7ebca3dL,0x120c5d9e0ac0e1aL },
      { 0x3bee3ffacc10da7L,0x0b57e651251b96bL,0x3e863c4220ff67eL,
        0x052f5bd8cba3b05L,0x3c3fc9ef4fe6f74L,0x0efee1c12a78f03L,
        0x03342d25ff3cba0L,0x334b863f4d802ecL,0x1ac1e63e7530050L } },
    /* 154 */
    { { 0x183d07c8f3d6a02L,0x3050f1fbd343477L,0x0bf0d4c7af6171fL,
        0x26209f173c32a65L,0x32b697882c8a93eL,0x2957a2e92840b1eL,
        0x2d64f0633c87d58L,0x007f06ba208bf30L,0x1c12ce9b53f986dL },
      { 0x19639fd95dc1b79L,0x23dd50fd3985aa1L,0x3c4cede2fb9f272L,
        0x203543eba79b9c0L,0x3c2d530ed042f76L,0x375662b0151af0eL,
        0x29491000a4006bcL,0x258a4fcca1b2784L,0x14677782255b6bfL } },
    /* 155 */
    { { 0x381421ee30c98feL,0x03fac3f0b35c16bL,0x0ca614df6ad2debL,
        0x37a6e8c53a26cb1L,0x04f04b16dd38134L,0x01fe32a2910f7aeL,
        0x0f3917fc556ee0fL,0x33504f0720eece9L,0x1998397dd24b1adL },
      { 0x201e17edf4781e6L,0x1f0c651bc7e4072L,0x2613b53090da32dL,
        0x3729f23181e889eL,0x2ddc697092495b1L,0x1582026073cbefbL,
        0x1134d71d3d82bb4L,0x231073f37768c21L,0x0d23dd171b59679L } },
    /* 156 */
    { { 0x3a40f84d4dd7e96L,0x1323aa1027f0325L,0x29e6a9d11393711L,
        0x0863f631b5b15bcL,0x200269e7c3b6066L,0x164a757eb4eeaa1L,
        0x2e365b1413c6b00L,0x2abb306b5f90088L,0x1d36a82621a4798L },
      { 0x2ac45c4c1003c81L,0x27bd6bd0f6180abL,0x1f5e60f774699efL,
        0x2aefd74a160da99L,0x1c84acef1f312e7L,0x34922d48bd4fb20L,
        0x265c6063e32ca29L,0x065cffa6a9f1607L,0x017e3686c9a5284L } },
    /* 157 */
    { { 0x32efe659e90de99L,0x1216f2b416ad8c2L,0x2a52e14e4892be4L,
        0x0c0898a1a1f1229L,0x15eb3db542ad854L,0x11796104987c3a5L,
        0x17573948e81863dL,0x2b7933f87383e3bL,0x03fbd6f1ff57d84L },
      { 0x03711ddd1bf968cL,0x235f35237e91cb5L,0x1223e425a566d55L,
        0x0e1709b410527c2L,0x17c2c17430cf833L,0x050f6766f9ee07cL,
        0x3d3faee3bdc33e5L,0x2046bce16b0d653L,0x1137551cf429fd1L } },
    /* 158 */
    { { 0x128f55b20193bb2L,0x15e741cc42e1c92L,0x2309d345d27696eL,
        0x0caa1c61a297b81L,0x1110386839a43e4L,0x0ccbc420a3044f8L,
        0x05cbb48286ecf3aL,0x236bccd22a8dc0eL,0x0c6698ffcaaef15L },
      { 0x044c54af6908745L,0x0cdb91a8cd4fee8L,0x2852d561e821a6bL,
        0x1c0d8d245fda530L,0x181f613151b2979L,0x3d1a97bdb8408eeL,
        0x114f7f6817dc2beL,0x316fe4f7a82be38L,0x136c3cf3cd5ed72L } },
    /* 159 */
    { { 0x38799ab7b080de4L,0x3de0775a760e5aeL,0x2aaa986f8f633b8L,
        0x0e2952f1729dad0L,0x1a9c2fbb95d74c0L,0x005e24c1dbf2d81L,
        0x286f0d8451b4408L,0x0c98d03c030e274L,0x14c3038e9520c54L },
      { 0x14bc3816977aad9L,0x3f420b5c21ef8f2L,0x020c875fed08adbL,
        0x350d1595bf01b42L,0x00fd6dd4ee1ce84L,0x297ead01c713638L,
        0x2eeb6f23338b226L,0x309b351dfab042eL,0x078e4db08bb5f80L } },
    /* 160 */
    { { 0x111d12a1078342aL,0x11c979566841900L,0x1d590fd3ffdd053L,
        0x27c1bc2b07fa916L,0x33e19bc69cf694aL,0x27773403db492b6L,
        0x32dd4e3ce38f5ebL,0x07154e1003d9ad8L,0x085cab8fdfbe15eL },
      { 0x2943f6b8d09422fL,0x0a5d583e6230ec2L,0x01fa2ef2e4d917dL,
        0x0ecd7df04fd5691L,0x3edaad3ff674352L,0x0d1c90b49d34d01L,
        0x38615d594114359L,0x2533472c9cc04eeL,0x07da0437004bd77L } },
    /* 161 */
    { { 0x24b99a62d712c44L,0x0da3e29a5895de0L,0x0432d65e2287148L,
        0x019bd6f17e23b5aL,0x14ec3479d140283L,0x0c9b6dc39b3cc48L,
        0x32936b96db6f449L,0x086bf296b026328L,0x04d69e248c72feaL },
      { 0x2a89092a71269fbL,0x2f6ea061942d802L,0x02a39fb55db22f6L,
        0x37d8c47a7407673L,0x090ac2c1d0fceb0L,0x2c7cdca9bebade7L,
        0x0c41932393b222cL,0x399d18a9bcf7ef2L,0x0019dea30b22fe8L } },
    /* 162 */
    { { 0x1f689ac12b3118bL,0x3b8e75b2dba959fL,0x22c2187cd978d06L,
        0x206354df61f3f30L,0x2e9f56db2b985b6L,0x38263055d611454L,
        0x212cd20f8398715L,0x0711efa5a9720ecL,0x1fb3dda0338d9acL },
      { 0x06b7fe0cfa0a9b8L,0x22eb1f88b73dd7cL,0x1e04136887c8947L,
        0x37a453152f3ce05L,0x00f51ea64ed811dL,0x321c15df2309058L,
        0x2bbcb463914d834L,0x3d4bbb493954aa2L,0x0019e5eb9e82644L } },
    /* 163 */
    { { 0x365a04e66d52313L,0x25151534fdcaf47L,0x1dafa6b7ae11fd6L,
        0x3615c6ac91caf03L,0x2ae5a8d68921f79L,0x3b17384f5317e59L,
        0x24bd39fde17716aL,0x19e0dc39bb692ddL,0x1efffe94085990dL },
      { 0x3fa0e27d88f92e8L,0x3bc3f671dc48f3cL,0x174c89274dbaa21L,
        0x296e6e89d898966L,0x246ebcaf6d4cfa4L,0x3e38a1c04324274L,
        0x3aeea20317a10d8L,0x2c28ec1dc778514L,0x0eadf0c479168c6L } },
    /* 164 */
    { { 0x1bc1e484c854477L,0x3096d218e391f04L,0x202b869c54d92beL,
        0x0caf879fb490f53L,0x06b460c4ae318deL,0x2909abfbd51c7acL,
        0x052dc138ae7bf3aL,0x37a748eb89b7761L,0x1649d3fc1d55782L },
      { 0x07cae310ade1979L,0x1c1074ed2f1ca36L,0x3c4056c3c9bea84L,
        0x0ab5d2b919ce248L,0x0ecbe49ae36fe18L,0x3107e7d64affdbdL,
        0x2307156680db80dL,0x1cc1cd6eb01bf91L,0x0c06d68b4c7d6d0L } },
    /* 165 */
    { { 0x3e22be7854dfcf2L,0x069f7e9ab8ef436L,0x3ad1a521ec46ee2L,
        0x1e906a52133d18cL,0x32aa123f3ee9452L,0x2b8f2a484517ae6L,
        0x05d9255634a82acL,0x0b63385dab283f2L,0x078504cf7fc1908L },
      { 0x34ce7c43799793cL,0x375862d5467ed75L,0x1f9395ff980874dL,
        0x346e2fd8798b3dbL,0x3dcfcf54f00ea45L,0x0c00d6c09a18d84L,
        0x28a9cb67423b760L,0x01dfa7ef1d4d100L,0x0f47b52ce37051aL } },
    /* 166 */
    { { 0x3f7d8ad96bec962L,0x3207d85f8041ebaL,0x0509214e1058d1cL,
        0x10d08e5327d9311L,0x11a6605136c298cL,0x037e090f644014bL,
        0x1cdea4c36437549L,0x2dec48c4ef87bf9L,0x076249a60f7d27fL },
      { 0x09758381cf593a0L,0x33bbee0d931679dL,0x1333e05c99910c9L,
        0x07d0860238cbd68L,0x34f5e8f4f30ea5eL,0x1b032d1d5bece93L,
        0x3dcc6a2cae6e2ebL,0x3045d82cc1ff422L,0x01aee17901c0ff8L } },
    /* 167 */
    { { 0x048336b89aa9e14L,0x0d09c7d9d9c03f0L,0x0433906b6980666L,
        0x387aedeac8d36a8L,0x3eb59a05330247eL,0x0003d3565a6d2a9L,
        0x026b5bd78ef8258L,0x15b13976ce3ad18L,0x03b06a43e5d7d68L },
      { 0x20ae838ed2a0ee7L,0x2f94a3c5ba204eaL,0x1f5c4ea6413704bL,
        0x2d81b8a619e2adbL,0x2f459ed2b5be80cL,0x1d85486bc66c6dcL,
        0x116f3b7a9cce4d1L,0x1a494e6bfe652a9L,0x00797d92e86b341L } },
    /* 168 */
    { { 0x1aeede15af3a8caL,0x091e0a970d47b09L,0x23fbf93ec080339L,
        0x3139bd096d1079eL,0x081e76009b04f93L,0x0603ff1b93b04bbL,
        0x0aef3a797366d45L,0x076474a4f2ed438L,0x061a149694468d7L },
      { 0x12c541c675a67a1L,0x0e34c23d7fa41bdL,0x3cccf6be988e67dL,
        0x2f861626218a9c2L,0x27067045bae03ecL,0x032a365bb340985L,
        0x00735d1facdd991L,0x3c871ea842a08c3L,0x0152a27e5543328L } },
    /* 169 */
    { { 0x1d609e0e6057e27L,0x22da9f1e915368fL,0x11451f32dd5b87eL,
        0x22343bd478bfd66L,0x125567546ea397aL,0x08a2d20312619a8L,
        0x01997aea45c8b13L,0x19f48f6f839df74L,0x1f80e2ea28fc518L },
      { 0x295412d69d0820bL,0x1cc49c7a9968618L,0x0221eb06380d031L,
        0x3f1d7fa5c1b09f2L,0x35a71d2507ffd4eL,0x1f2dd50dece5a95L,
        0x0dbee361c80051cL,0x0b51781f6d35eb5L,0x1431c7481f49b19L } },
    /* 170 */
    { { 0x2ab2d0408e1cc4dL,0x1d634eb4b707b97L,0x3dfe5c9c7393e93L,
        0x2a74cde5a0c33adL,0x2e24f86d7530d86L,0x02c6ec2fbd4a0f2L,
        0x1b4e3cab5d1a64fL,0x031665aaaf07d53L,0x1443e3d87cc3bc0L },
      { 0x10a82131d60e7b0L,0x2d8a6d74cf40639L,0x2e42fd05338dfc9L,
        0x303a0871bab152bL,0x306ac09cb0678f2L,0x0c0637db97275d7L,
        0x38c667833575135L,0x38b760729beb02fL,0x0e17fc8020e9d0aL } },
    /* 171 */
    { { 0x2dd47411baaa5ebL,0x2edd65e6f600da2L,0x0c40cdffed2202cL,
        0x3c13824450761a0L,0x120748b871c23a8L,0x167a4a25974507bL,
        0x06dbfe586a15756L,0x269d1f1a35f3540L,0x148da0ad0df2256L },
      { 0x0fcc5db7f9069d7L,0x1f49157014c6932L,0x0899e9a2db3a248L,
        0x0e2d3fa5c8316adL,0x0d27f35e452bfd5L,0x38b6b24dce81329L,
        0x3ee7e27cbbc549eL,0x24d800a1c8a77fcL,0x0d03179878d28daL } },
    /* 172 */
    { { 0x1b7e9bb3b66c047L,0x1961a580a8f8762L,0x2297c8db9c0022eL,
        0x28f4229d28d13e0L,0x1fcd398de0e76acL,0x0c8399abefc69c7L,
        0x1c9fc52fbb6eaa8L,0x2cad2a0b43af05eL,0x00f4e00cf6f4e7aL },
      { 0x24c0e9a4890c439L,0x1928aef0d69ac90L,0x079dd9b7497d375L,
        0x03584b7a50a5691L,0x0e60d0033a1ff3fL,0x08905f68d6189ffL,
        0x2b8385815da8c05L,0x25aa941841353bdL,0x120800728d2f16eL } },
    /* 173 */
    { { 0x36f2372ab039042L,0x1a5e327e8213b65L,0x1d2f58bec14310eL,
        0x007f881170f40ffL,0x2b0a5a9283200c1L,0x187ebfe39a1a3deL,
        0x31226526c95d1deL,0x3b45e8788049edeL,0x0898e63dd78c2a5L },
      { 0x36533da22bba4eeL,0x3d8e5fd25a95d2eL,0x29f714f2a6b93efL,
        0x2f477f75cfd024cL,0x269bca1b1a08248L,0x28b80c9d8bccfcbL,
        0x1df7419a177e64bL,0x2f472f143a64dd7L,0x095b87a979f4a56L } },
    /* 174 */
    { { 0x03736a967c1f177L,0x34d4218004cf27aL,0x3b926eac9a5b1b6L,
        0x29b09fbcc725092L,0x1122b48707a9c01L,0x346b2616b64eee9L,
        0x3f175b9eb94e2a9L,0x364514470081b54L,0x0b1d13eb2525102L },
      { 0x3e7dbeb675a1171L,0x20a5705b034ac73L,0x1b5a057c88cab22L,
        0x25b4c03a73e36c9L,0x3269552eb73ea9eL,0x383e637ec3800dfL,
        0x10480fea9d035c9L,0x2cc66183926e34aL,0x037a35e9512c036L } },
    /* 175 */
    { { 0x16729ee8f00df48L,0x329ed846b20c131L,0x17f98b3a8123b89L,
        0x06708728fa925e9L,0x3e2bb3ce7e0431bL,0x371de065169cf7aL,
        0x2b3df12f86cc2baL,0x373c17fc0179397L,0x05ef955dd7add27L },
      { 0x0c22ffa00ee402fL,0x0d78a8ecc2ed338L,0x11d0643cb1015b3L,
        0x114f3465a215095L,0x2f0be54b4c6183fL,0x3083379319993c8L,
        0x24c475a5f4cfee4L,0x07b6772aa5cbe02L,0x19cde4af2005911L } },
    /* 176 */
    { { 0x29d0bc8d771f428L,0x07b36790f28e0a7L,0x2480eb93acf03acL,
        0x2041968a8fe357bL,0x22f0b8a7316232fL,0x0951d2887f013eaL,
        0x315f6f4a8df7e70L,0x0394946b13fc8eeL,0x06b66e21b73e095L },
      { 0x1c9848067a41deeL,0x2a56b9ecf8acfd6L,0x0386891454e12cfL,
        0x37fbbf29a915366L,0x011e9cb75f0dddbL,0x3bc8230d7da46c9L,
        0x333cf6a9b9e766fL,0x1d2a7a37c400062L,0x1c4b8a55ac9d1c1L } },
    /* 177 */
    { { 0x19f58625c4cccb8L,0x3d4824bbd34fbeaL,0x257689efc87870bL,
        0x25b685081b8a3d3L,0x07c52107da2366fL,0x1283c3c240cc680L,
        0x2a47b0478d4ceadL,0x1d526ca267b891cL,0x110ae96534e6420L },
      { 0x0c1d655cced05b0L,0x30fc2405d6550cbL,0x30a48e577cd7abaL,
        0x24d03a635b6ebadL,0x3603d24f184b008L,0x15c85cf49a60d94L,
        0x1141de6e1458832L,0x1fcd074d22c9984L,0x06be52257dcefa2L } },
    /* 178 */
    { { 0x2678f33c947e655L,0x3edda82248de564L,0x2745790239d1ff0L,
        0x248f36edf3acb7fL,0x105f6d41cea0874L,0x2771562084c9b6eL,
        0x0317025b1ae9ae7L,0x22a738514d033a7L,0x0c307502c29a2c3L },
      { 0x0124f11c156ace2L,0x1c3f9de7fc94a43L,0x1a816e1171b22c1L,
        0x20d57789e5d837eL,0x27c6cc79da19bcaL,0x3587ddc06b649faL,
        0x1c06bb285901121L,0x10aeffa03209898L,0x15e4050d338aa26L } },
    /* 179 */
    { { 0x1397829eaad87bcL,0x324d9e07a132f72L,0x024d6ade4fdee0aL,
        0x295a435fd5ad5e7L,0x3d14fb0b950b9abL,0x16839edbc26ca74L,
        0x2f4ff3d0684f232L,0x1ccec1453a74d81L,0x077e63bdd26e8adL },
      { 0x2fd06ece0d25c6dL,0x00086802e8b73c2L,0x17708c5bb398dd9L,
        0x360663fe3f06c09L,0x1b7e2cd68077f06L,0x18e8d5ca1f543fcL,
        0x125a9aef75e0572L,0x03a56fc95e24beaL,0x111847d3df0739dL } },
    /* 180 */
    { { 0x2ab9cc7fec82924L,0x1b75a69c8835a54L,0x27dea06ef0e21c7L,
        0x3089c60e41298d4L,0x2716807c8ab3e51L,0x123c491bd36cd7aL,
        0x1560958f3ede0a7L,0x0e37bc524d91104L,0x0f75f6583d1874bL },
      { 0x39189e10b927eb7L,0x318d670b8bc49e8L,0x02337fe966f4a87L,
        0x208417956142dcbL,0x2e58c39f9102b83L,0x246d4ca58ffb801L,
        0x2ff97b3f052ee39L,0x14181fd6e15332eL,0x16a935e5f6c5f80L } },
    /* 181 */
    { { 0x19a0355dfd88d38L,0x33638f15277d03cL,0x29e304d006e1555L,
        0x1b3f42c3398c89cL,0x135f2ad31f16b70L,0x1e8f7e7fc55b702L,
        0x1e5fb5b30c5213fL,0x2368a7ca7324a95L,0x144a0ecfdd42b85L },
      { 0x1c115df52658a92L,0x0fb45f10a0585adL,0x1f707fd92a91bceL,
        0x3f67357625a9565L,0x35a9472b1663c8bL,0x00cf86f41dd8d0fL,
        0x1c02fb14e44ca8bL,0x3ecc89e87261879L,0x1b5ece0f2c4cc4fL } },
    /* 182 */
    { { 0x3127bab31211943L,0x232b195a10c9705L,0x0b88d855fc3e44aL,
        0x0333a47ba974bf8L,0x078ec7d1247ababL,0x3367fbe9748f771L,
        0x255766a3986de70L,0x31fe8cb1ee19e09L,0x0873e54018beeaeL },
      { 0x16e86f2b38d17c1L,0x3ef431c7e810372L,0x2b79f88499cb9cbL,
        0x33bdc7b202f8446L,0x146c896921d47c5L,0x34c58cc6b2a8ef0L,
        0x28765b5f921c0e3L,0x3c9c0c7e8207b9dL,0x0fed5dafd5f41efL } },
    /* 183 */
    { { 0x2f10b9d4cda1348L,0x1a7f48970c04ea2L,0x25b18957c22bb07L,
        0x31fd6b3c711142aL,0x09fef80295cafd6L,0x38227d773dc6850L,
        0x3d2ba8e12029f5eL,0x32d625d4aa3ec3eL,0x09061e2275f6f70L },
      { 0x30a4ac51fbda16aL,0x0439e7c77e8a8adL,0x2132d9945f6f799L,
        0x2bbad2e93bee8b3L,0x34bf2d53d450d59L,0x18831ea1aa3826cL,
        0x13c6f476010204eL,0x3d5a98fe250f429L,0x13214c91d1987eaL } },
    /* 184 */
    { { 0x14fb120490d66c3L,0x35cca2837208139L,0x0c3804b4294deaeL,
        0x2acc777119ee805L,0x28342ed113f2fa2L,0x0c0d3839c3fd57aL,
        0x0ae3c1b18da72f2L,0x1680ab70c36faf6L,0x09c179bdf6f3e94L },
      { 0x2c928ef7484c26fL,0x2df6c7bcab6ec51L,0x35483f58dda7206L,
        0x0312f1fb6d8221fL,0x1975cafdcfde4e2L,0x1afbb0812134487L,
        0x16db67c5b596708L,0x1d222d5e6aa229bL,0x01522c6d87e4118L } },
    /* 185 */
    { { 0x2890757c471d4aeL,0x12c6950e8769d82L,0x31826aa701a1fefL,
        0x14967197e4ee24aL,0x1d789df35bf4d4eL,0x2de70fca48ebe4aL,
        0x0cf1303ccb46c60L,0x03b125560b39f3dL,0x11c7da081b4257fL },
      { 0x12c6ae59aeef274L,0x16fd3c50df020feL,0x3023e13c86afe6cL,
        0x398a8894d82a9d2L,0x022589fa5d21dacL,0x3e9d2c3ecf55caeL,
        0x2891a93d4a3916dL,0x33ef79db36372c4L,0x19aa0391a3f59f4L } },
    /* 186 */
    { { 0x14ba69e203fc3f1L,0x1a332d8841a8a41L,0x0540aad5fa9f091L,
        0x03affdfb5bec206L,0x0bef94afdecb8f2L,0x02af476cb202986L,
        0x0e0a7ce25d8ca0bL,0x16e69d799e9040aL,0x1b2dd7662ddd6e9L },
      { 0x3dff279f289d7eeL,0x157567ba8881721L,0x3d54c18adac64d7L,
        0x33dfb004066bac3L,0x2b48d70a43a8c46L,0x02ce7be1bf2439fL,
        0x145a20965c53c11L,0x008f9155ddf30e1L,0x16ea33430f757ddL } },
    /* 187 */
    { { 0x29f39490ff53d2cL,0x24565ac00d26e7eL,0x1014d59979678dcL,
        0x2aea29ade2bc429L,0x08b517b104dd72dL,0x1b4e6f83bd77950L,
        0x217f70142b90bcaL,0x044632baa8fa7b6L,0x16da01689d606b3L },
      { 0x26ca563f46afff7L,0x171ee8d29797cfaL,0x24c8aa998fd8394L,
        0x11ad8fd4d7b07ffL,0x0d1f509e542a601L,0x3e33436d4205a22L,
        0x236772d1918daa9L,0x3719994179aede2L,0x1ef4ab03a819cc6L } },
    /* 188 */
    { { 0x2089d14d376d986L,0x1381de8b70d6c01L,0x309a53ff2c86d0fL,
        0x11448f0ff207045L,0x31b656fc2fef4baL,0x3fbea2ee14b3569L,
        0x110b77b57c74891L,0x284a63c14e0f920L,0x04c4b55d3ad52c5L },
      { 0x110cff3f3827633L,0x1e1357802bfa594L,0x38823ead32fa086L,
        0x058ae47361b2ce1L,0x0e6f3638a3dcf4dL,0x22dff5081e2da96L,
        0x1683e733792112eL,0x210cda5901137b9L,0x1223b84210f28e2L } },
    /* 189 */
    { { 0x028a9a9c3ebeb27L,0x3372d4fbd643e1bL,0x2e114dae7f37d7bL,
        0x391c9ba9f27a228L,0x28c141388033522L,0x058855d667540e1L,
        0x0564d859b1aeca6L,0x238d9c67f3faff3L,0x0433a577af11aebL },
      { 0x3f26ce06feba922L,0x320fb91d695a4f0L,0x274028bf378e5f6L,
        0x1a2f70fdbc5fde5L,0x2a6ed90aed2a5e3L,0x291f2f54f40d282L,
        0x0e2bc83b1c3a4c4L,0x003ae93c2a9b937L,0x1c097c7af4374caL } },
    /* 190 */
    { { 0x037717879c28de7L,0x2a8aaaae70cc300L,0x182666bc61eb617L,
        0x33d35e2d4110c20L,0x19870fc72e0b5b5L,0x102def175da9d4bL,
        0x32d03a3b4689f5dL,0x182a6a5ff619e1fL,0x1c06ab7b5eefd60L },
      { 0x19eadb1ffb71704L,0x3962ece43f8ec7aL,0x382cab4f19aa436L,
        0x3eb83cf6773bb2aL,0x16e20ad12da492dL,0x36ef4988a83d52fL,
        0x12eb54af89fa0f7L,0x01d637314286ba3L,0x0b79799f816ef7dL } },
    /* 191 */
    { { 0x2c46462104f98ccL,0x056489cabb7aba7L,0x3dd07e62186f451L,
        0x09a35b5a6d9eba4L,0x0fd43a8f3d17ce0L,0x302ade5ed4d1d82L,
        0x1f991de87f1c137L,0x38358efd65ea04eL,0x08de293a85be547L },
      { 0x182add38ef668b1L,0x39acb584725d902L,0x2b121c1d4263c54L,
        0x23bbfd939ccf39dL,0x02871612a3134b2L,0x2824d652bdc6a6bL,
        0x1108e831c88af2bL,0x0df682d92444aeaL,0x1138febc5c55cf4L } },
    /* 192 */
    { { 0x29ca589c4a2daa2L,0x29c0f1003d8231fL,0x1058d517510318eL,
        0x1c92aedbca5be33L,0x194296ab4264934L,0x314595f42f954f8L,
        0x080ea89af9398faL,0x386c788cb7bb13eL,0x1372f81761e67b1L },
      { 0x1014bc73a20f662L,0x1f9df127b654094L,0x096fb62b96521fbL,
        0x19e8ba34dfa27d4L,0x25804170e3a659cL,0x3b5428d03caca89L,
        0x03c00f1674fce69L,0x2764eaa914dfbf7L,0x198f3c3bfda4ce9L } },
    /* 193 */
    { { 0x2b1f5cd81614189L,0x15b11492c967deeL,0x24b245fb415ec7dL,
        0x371ebdafbe71eeaL,0x074b48e82302bc8L,0x2db46c7e46ddc38L,
        0x280c974a1336e09L,0x2d894a1704d5f99L,0x12d59bcb813c7ccL },
      { 0x1ad83b47c019927L,0x3c999d8c37f56f7L,0x2c5a31e05d23e10L,
        0x3e915ab1180576fL,0x1243cac822aa6e5L,0x372327a51a5594aL,
        0x0a4065c69c9c7f4L,0x0c06eb6c9f82789L,0x1ccdfa7a34eae41L } },
    /* 194 */
    { { 0x36a864d59cb1a7dL,0x19328dabbee3b85L,0x3acb1c22b0d84d8L,
        0x3af66037c743ba0L,0x07f94ced97e80a6L,0x29cb0457d60ab31L,
        0x107bb7a29cd1233L,0x028c3384a8aa31cL,0x1500229ca564ed8L },
      { 0x374bad52f1c180bL,0x2fa6635d26a8425L,0x08ab56dbd1bad08L,
        0x3902befaa6a5e31L,0x3153dc5fc6ed3e3L,0x2fa4fb422a2fa5eL,
        0x2e23bdadc7f0959L,0x0a77a3490a420b3L,0x016417523c6dc27L } },
    /* 195 */
    { { 0x0eeccf16c14a31eL,0x3894d2cb78f0b5dL,0x35997cec43c3488L,
        0x27645ab24dbe6ecL,0x29f7e4400421045L,0x1154d60dc745700L,
        0x14a4678c9c7c124L,0x2eb67325d5237b2L,0x14e4ca678183167L },
      { 0x33af0558d0312bfL,0x2fd3d5505879980L,0x05a7fa41781dbd1L,
        0x2a003bbc7549665L,0x079c3b8d033494dL,0x327db9a5b1417b0L,
        0x030aaa70ae1ade1L,0x018300a23c305daL,0x00c7f4cfe3ba62aL } },
    /* 196 */
    { { 0x18b447d057d6006L,0x25db9bf5c722c03L,0x2029abcf40f538bL,
        0x21bc40e9e0d79dfL,0x05e472c4b13bee3L,0x07f2c650829ab08L,
        0x0abf4943b045f63L,0x1ade79770767f00L,0x1b528c0bc70a555L },
      { 0x29d07ee8a8640b8L,0x04408f438d004aeL,0x255bbe24ae89256L,
        0x093e95e77371f39L,0x1377bbfe5e358e5L,0x30251f915f389c5L,
        0x29782664651c6c3L,0x305697ef63543d2L,0x08d6fcdd28fe2e1L } },
    /* 197 */
    { { 0x164a2f65c7202c8L,0x0d01496952c362dL,0x16721434fbf57d6L,
        0x1787660c28e1053L,0x15ef0fbe1811421L,0x1bd5fe7f1e9d635L,
        0x2269d35705dcf8eL,0x27e5d7752695b64L,0x0f18f015d7abdb4L },
      { 0x3131110b4799ce6L,0x2fee64b2f2df6c1L,0x0c9ff7ba21e235bL,
        0x04ec63d27fb07c0L,0x1abcf959b009d69L,0x350851ba3698654L,
        0x1f23f10e6872130L,0x0e1ad560ca05eb9L,0x143c9b5bb689ae7L } },
    /* 198 */
    { { 0x23328db48c74424L,0x05b8474672cbad0L,0x192a40d6e217326L,
        0x13032f71d4b94d0L,0x0d733bb01dd83a9L,0x2de914817188c14L,
        0x0011c8cd0d631a5L,0x1f3573370289669L,0x1e622f112cc646eL },
      { 0x3d6e29a3e1e4c4bL,0x2094e27ec552291L,0x05b54fd3e319d5fL,
        0x2682822e599f8dcL,0x3d8cbe8db8c4ce5L,0x3bb0f5d6f29d279L,
        0x1a313dcc4496eaaL,0x24d805f71c8ea28L,0x1a5250ff77a8cebL } },
    /* 199 */
    { { 0x15a0726fe29bd79L,0x12a0413e642cd29L,0x146daad56983657L,
        0x2e543507fbda41aL,0x06e6f7f450e580aL,0x03cdc62af1d6d45L,
        0x234087508cc97bfL,0x2244146e8b29295L,0x17275c39077e64dL },
      { 0x37cccaff77ca6bdL,0x037d06f6c637d7cL,0x0ff8019e01f7e0aL,
        0x112a9975cae7d1bL,0x06e3663e9be4f3dL,0x3be76db5e08b62bL,
        0x24a9aa5f37f9223L,0x322e9fc2b4e76afL,0x098a0a57c70f69cL } },
    /* 200 */
    { { 0x1c50cf400fd5286L,0x16e755ca92c0f36L,0x0f9e051ae73e1eaL,
        0x10a546ce093d798L,0x09fb4d667fe9b51L,0x3714215ac0d2cb4L,
        0x30022e4b537a80eL,0x22bb9a7b8404a32L,0x0ed7c8b9e5c6a54L },
      { 0x06007bcd933619bL,0x1d9a38ae77f865dL,0x15d3cc6e2a2e0ceL,
        0x17dfbafccbea7bbL,0x167cc4f6435a14fL,0x214305b1d72e263L,
        0x379c96cb2185fc7L,0x11d10261d29d917L,0x1397468f8ae27dbL } },
    /* 201 */
    { { 0x1de68adc88684f6L,0x3b6aad8669f6ff1L,0x1735b27a18f57c1L,
        0x1963b3627ac9634L,0x2d879f7eab27e7bL,0x1f56fbecf622271L,
        0x3ad73ca8fdc96d6L,0x15b5f21361ab8deL,0x1a4c7e91976ce8eL },
      { 0x001a5406319ffa6L,0x3993b04d3b01314L,0x296cd541242c0caL,
        0x3bafcb2bbb87da6L,0x028bee8059da259L,0x23a24392239e5e3L,
        0x227fd9e9484bebbL,0x18c6039491b43ecL,0x1b78be2a54a625dL } },
    /* 202 */
    { { 0x223554af472f13aL,0x264edd5ccfa4728L,0x29f096c168a2facL,
        0x0752c49d4d49abfL,0x3e77070ca7cfe76L,0x1f9f37da10c061cL,
        0x162ed466b6aaadcL,0x3e36368b757aa85L,0x016a81a2e0039faL },
      { 0x080759c4e3de3bfL,0x38b8454bcc222aaL,0x2d9aaa7eba5b0c1L,
        0x14e7e70472b2cb7L,0x3b0dc5c194c65d5L,0x28fd2d842ae6f61L,
        0x0b5f9fd32f8c96cL,0x0877d2610bf30a3L,0x0f431ae27ccb90eL } },
    /* 203 */
    { { 0x32a0a0d6a0ccd0aL,0x3bb209664ed554eL,0x06fd9de672a6a3eL,
        0x1203681773ec4d2L,0x16739874d8d9c51L,0x0a68d72712a9113L,
        0x177eadd9cf35b2eL,0x1c2875af66d7e24L,0x1d69af0f59d2a04L },
      { 0x2f844c7ba7535fdL,0x3530f6a10bfce6cL,0x09ede951974b45bL,
        0x25ff5114fb17f85L,0x1e6c37c0e6982e9L,0x0b0fbdaa98fdc17L,
        0x36a8d609b0f6a9dL,0x06de2fb74d6185dL,0x1764048a46aede1L } },
    /* 204 */
    { { 0x07c6ee551a251d1L,0x12fc48349e77f69L,0x138cec518a28befL,
        0x21ce202f9b930b5L,0x21be9b20b1b2b78L,0x1e5a867b1a733e3L,
        0x10bdeae41dfeae3L,0x20300959dbf27edL,0x16a8b815a0503e1L },
      { 0x0a085f653f5ef65L,0x3eefe5dec94414bL,0x07e3a3346fe661dL,
        0x3b86e57dfbe23aaL,0x15b65eaec25ddfdL,0x30b808ec881d39aL,
        0x283bb511869a154L,0x1f9f61806d5dd0bL,0x0151464652cfa87L } },
    /* 205 */
    { { 0x10853c857fa58f1L,0x2939a1329319c09L,0x2d0a1b81f40db58L,
        0x041563a32f41ee5L,0x242e388cfa4651eL,0x110d8220699011bL,
        0x2b8fd051b0d5394L,0x33f3b0afcd6cf89L,0x0fd4ae787095702L },
      { 0x079bc29df53d498L,0x0c713844dfd890fL,0x056c17a3cedf4cfL,
        0x071b36445764edaL,0x39228cddb246113L,0x3480afc6acc2914L,
        0x108612e97757b68L,0x09ad2999b79f398L,0x051c200fe654f60L } },
    /* 206 */
    { { 0x296103cb1a2b4b5L,0x332ffa10f025a3aL,0x072d986ffb5b98dL,
        0x3c85a74eb09a8dcL,0x2771371f12fa07aL,0x1f0a67be2ee16e6L,
        0x372efceae10d34eL,0x15bc4f52f71a788L,0x039378df75d8dd8L },
      { 0x1e902ffde7ff5d9L,0x2a1748c9682728cL,0x13a6f4192fcd0e9L,
        0x0dc56c1dacf5c6eL,0x26e711d1cf52a57L,0x30a4a0675c9aaa1L,
        0x015de60b61b1df2L,0x2791c89395d7320L,0x1dc68e893e118b7L } },
    /* 207 */
    { { 0x3924ff96ffeda73L,0x27d01a83688062dL,0x20eaf89584dfe70L,
        0x0ba0d568100da38L,0x0fd777d7c009511L,0x2fe3cb20967514aL,
        0x05311bb0c495652L,0x36755fd8c64a113L,0x0d5698d0e4f8466L },
      { 0x10d64fa015d204dL,0x09afe9b744314f8L,0x0e63a7698c947b6L,
        0x11c14cde95821feL,0x0df5c782f525a65L,0x157eebfd5638891L,
        0x2e383048aa1e418L,0x18f4d23c886391fL,0x04df25239591384L } },
    /* 208 */
    { { 0x2f4fd69d8695310L,0x3ac27dfa1da3a9dL,0x1812e0d532a8e28L,
        0x11315cab1e40e70L,0x0785d6293dda677L,0x369daec87e60038L,
        0x3c72172bfe2a5a3L,0x22a39bb456e428aL,0x04cd80e61bfd178L },
      { 0x1f4037016730056L,0x117fbf73b4f50eeL,0x363c1aa5074246fL,
        0x14bfe4ab9cc2bf5L,0x11bb2063f21e5c6L,0x0b489501bbc20c3L,
        0x15001c18306ecc1L,0x150913b766ce87cL,0x1f4e4eb25b8c0ccL } },
    /* 209 */
    { { 0x161a714a1db5c18L,0x139879d9dc1d33bL,0x3be57bf685de945L,
        0x14f48516f97a5c3L,0x3ee49a5f2221b0cL,0x12c4740ee4c6206L,
        0x02213700b91afa1L,0x002bf1abbf924fbL,0x13c50554e945262L },
      { 0x02c45e77364c92eL,0x000995cd4863a35L,0x1a0284d3f3c5e05L,
        0x0936fdd91af4a07L,0x2485f304f312f84L,0x049e944f86a23caL,
        0x20e0bc583f56311L,0x1c293b5e5431c69L,0x0c692855e104b7bL } },
    /* 210 */
    { { 0x106185c644614e7L,0x01b2b91d2690923L,0x12ea2587e5282e9L,
        0x02b44a15f356150L,0x0ba5593b5376399L,0x3574a919dc31fdcL,
        0x29a1bac2cf6dc4dL,0x2576959369158edL,0x1c8639f7e141878L },
      { 0x1c96b02f8589620L,0x11a28d079101501L,0x1a11096ad09c2feL,
        0x2627194abbafc8bL,0x3547e1b8fbc73c2L,0x1df6fdcf37be7e2L,
        0x13552d7073785a9L,0x0f4fc2a4a86a9f8L,0x15b227611403a39L } },
    /* 211 */
    { { 0x1a5a7b01fbfaf32L,0x298b42f99874862L,0x0f5ef5e3b44d5c5L,
        0x3b7d0eefd891e5cL,0x1260ae5a03ea001L,0x1a5f18b2a39d0a1L,
        0x1a7643eb899ebd2L,0x09698da800f99d4L,0x0eaef178c51ba07L },
      { 0x2cf8e9f9bd51f28L,0x3aef6ea1c48112aL,0x2d3a5bfc836539fL,
        0x334439bc23e1e02L,0x08241ab0e408a34L,0x22998a860413284L,
        0x2048d6843e71ce9L,0x3461e773a14508cL,0x1fa5cba23be1cf3L } },
    /* 212 */
    { { 0x3e8c9d22973a15cL,0x3b237750a5e7ccbL,0x0a390b6afb3e66fL,
        0x0daad97bc88e6bdL,0x266c5fcdb0bb1e4L,0x2bd21c2e3c98807L,
        0x344e243cffe8a35L,0x05c8996b8a1bcaeL,0x114da2e283a51ddL },
      { 0x29c9a56c1e3d708L,0x18b4fc72c3be992L,0x298497e875404feL,
        0x1acf3a91bebc1c0L,0x283886263138b7dL,0x070c24241e018d3L,
        0x03864727e842807L,0x2899fc2bde75f96L,0x104c1b86582b236L } },
    /* 213 */
    { { 0x2ff09eda526c894L,0x2fc48052b1f48ccL,0x0dcd3cd9293495aL,
        0x04a4b9ad55adbe5L,0x21036c31bffaaebL,0x01ffccb864de5baL,
        0x1d67b8a9d237e77L,0x0922f59696c360aL,0x1b348edb556db29L },
      { 0x2e9f9b2ded46575L,0x32822bfe9a6b3dbL,0x33a1f16d37d1496L,
        0x2c5e279740756baL,0x1c827cc454a507dL,0x259399dc178b38aL,
        0x0e46f229b6e4a52L,0x19214158ec2e930L,0x0a3e75c24484bc4L } },
    /* 214 */
    { { 0x3cb476fd2f6615dL,0x3e6de36636a6a43L,0x1f1cd2bdf1074b7L,
        0x21a6e55bcc78bf7L,0x3b596eadf2bda30L,0x156c94e3cf328bdL,
        0x0846db91c09f8b3L,0x190b91bcfdbcf1bL,0x1ff9bb9398e2a14L },
      { 0x118d4f5a17bd645L,0x0cfaaf6f5b55494L,0x06fc734d0957570L,
        0x17d7d4f10d401faL,0x3fd27dd1998ca06L,0x254b472a652766fL,
        0x2c101cddc4e3046L,0x2c01e132ad3ee06L,0x00346d079f94a56L } },
    /* 215 */
    { { 0x1eb8e4fa6bfdeddL,0x28a179e9d31be65L,0x14d13d09a252993L,
        0x3986697dd9e2f57L,0x20cebb340eaa10bL,0x36fdea0f4f6c20fL,
        0x0f23e1c633a78b1L,0x20de49992f0fb0cL,0x1c96630f8f107a0L },
      { 0x3f4cb4bdef86a80L,0x13b1e0fe0966aeeL,0x3604609532c81faL,
        0x3322e427a4a92fdL,0x31788416071bb7aL,0x286ae4a32875cc5L,
        0x0455a57f7f14becL,0x3a266ffa805b97eL,0x02d7b8c76b9bf21L } },
    /* 216 */
    { { 0x28605634b9f8e7dL,0x05dadd8ff162a11L,0x1a7e2feed68a201L,
        0x0f99460c6439e97L,0x2e9377ad6cc6776L,0x1c0c8c85f5f4040L,
        0x0bb505ccfc47207L,0x09da55cfb80c54dL,0x0f31bf1ef8c0f1aL },
      { 0x35f5c4b0c935667L,0x14b0e41834ae2d8L,0x2c2e37c3a574741L,
        0x1302dcb8337bfeaL,0x1f4f60247fd5fccL,0x2785bccedd0fe6eL,
        0x34ef9c05c2e3547L,0x2b38e888d311cc1L,0x1244092f279495aL } },
    /* 217 */
    { { 0x3fd7851b30f9170L,0x2a87a4dff396c56L,0x15e0928437b9715L,
        0x1670cbc49cf3ff5L,0x248be1e3488acd2L,0x296f18ad685173cL,
        0x156f463a3408607L,0x3870d8a5bac5460L,0x1e7397fad192774L },
      { 0x22f99f49c8225b5L,0x3f39251addf134dL,0x35308541e91b33eL,
        0x0d0e3cf5a4d1477L,0x2e727b54e0bd2d9L,0x188b65002d778b5L,
        0x36a94b42d929c27L,0x3c814dab39c8d5bL,0x04464a18cd5fccaL } },
    /* 218 */
    { { 0x1be0aababa95d63L,0x203185ed2cd1b63L,0x38630e0d8142927L,
        0x0aad5bbc13190c3L,0x1785e3633875be0L,0x04b24f930a3fae5L,
        0x2f82a3d5401795cL,0x2bf5a27fd47078dL,0x16b3c48c89510eeL },
      { 0x1287ebad4f064beL,0x1f555553af6a65eL,0x1ef2623727ea1a7L,
        0x24627cd9b1919d1L,0x1c59d6ebda911f5L,0x1493484df950d73L,
        0x15b38d3a84daea7L,0x0f1271ec774710eL,0x01cca13e7041a82L } },
    /* 219 */
    { { 0x399860c874d64b0L,0x16c248594f38318L,0x0000eaa11986337L,
        0x0258873457459c0L,0x277d70dcd62c679L,0x016f5336f875f75L,
        0x2f8f30eff0f2703L,0x16de01dbb1884d8L,0x1d8812048167e44L },
      { 0x1749a0e161f9758L,0x2457fa8f13f38a0L,0x0e41911dd8afe60L,
        0x2b1e6946827d4dfL,0x02ca5cf8efe36a8L,0x12415fd59fed52dL,
        0x244b641bdcae07eL,0x1960edc7fc31690L,0x1064815a5364b60L } },
    /* 220 */
    { { 0x0c69c3eef39cc39L,0x011593e98d5b45eL,0x3542412fb990983L,
        0x34de76eca96f4f0L,0x0e7e75e3da1d531L,0x2c051ec52197c62L,
        0x129ab02dac4e220L,0x1d3bfd6794728cfL,0x0f1c964f7fe37b0L },
      { 0x080c0a60e301262L,0x1601814e4288b5cL,0x3f9acc8a90299a4L,
        0x15c5303c70b699dL,0x26e66d9f7dfae90L,0x1e11a490d997fc5L,
        0x0c307cc866dd8c4L,0x1439316bfa63f13L,0x03960e3ba63e0bfL } },
    /* 221 */
    { { 0x2785136959ecdb3L,0x2bd85fe7a566f86L,0x32b8cde0dc88289L,
        0x2c1f01e78554516L,0x350e22415fe9070L,0x1635b50bddfc134L,
        0x3b629ab3ab73723L,0x3f49453f506e6e9L,0x1937b32d80e7400L },
      { 0x1d80d4d7147886fL,0x33b5855db2072b9L,0x0692642717bbe08L,
        0x262aed2f487853aL,0x26530308b9dcdf1L,0x2674671d962f991L,
        0x0ab126fbf192dadL,0x378c5568f46ccc1L,0x00e943f4be5fa24L } },
    /* 222 */
    { { 0x14240587fe9ea48L,0x13e09586d5d21b1L,0x013c78719740af2L,
        0x1e5c3ae1d3674b1L,0x0b62ba3aa27a9beL,0x306fc2b10ffbe38L,
        0x3130e10a23f2862L,0x33afd4709dbcd2bL,0x185f6cd1e9aae55L },
      { 0x0defa7f40369093L,0x076759616078289L,0x3f33e512ed9e11fL,
        0x167b448225a6402L,0x28b73c399bf8a84L,0x3dbd53fa0c91557L,
        0x25235554a305698L,0x0ecc4aa75b694f0L,0x16ae6a6f9042a09L } },
    /* 223 */
    { { 0x2e123c9152cdd35L,0x390ea21900bbc6cL,0x30dfb9ce5bd5ae6L,
        0x129d601245224afL,0x3f502eec2b4acb8L,0x28cfbd3a31fd57fL,
        0x1d20019c8a7b93aL,0x2f3ac1ac40d5ff6L,0x0273e319ff00ba3L },
      { 0x02c2f77abe360a3L,0x3d7212b7fbf2986L,0x0ca6650b6fcc57eL,
        0x15aabc2c80a693cL,0x0a24ef1563f4f8eL,0x3a917c4d7214228L,
        0x036dbed8f62fd91L,0x040efcb248e80a0L,0x18a4a9ca4c01a4dL } },
    /* 224 */
    { { 0x23fb7985448e339L,0x1dc33c628e65d8aL,0x174d7a69170cde8L,
        0x164ad819eb04581L,0x0848138ab4bb05cL,0x24279e537834b6cL,
        0x0315f7149dab924L,0x289620e8cdad9e4L,0x13ccd9074d9a335L },
      { 0x039c5e0ac1b784dL,0x17231bb949eb87aL,0x2146a1c88ec0ab6L,
        0x2411b06fd634f21L,0x33fda502a2201f7L,0x096e4195c73b189L,
        0x16dfcdff3f88eb2L,0x29731b07c326315L,0x0acaa3222aa484fL } },
    /* 225 */
    { { 0x3e74bc3c9b4dfd6L,0x2a014fe39d8a4c5L,0x1c059d8c352025bL,
        0x332e16882d00c1fL,0x2238713591c9036L,0x2a57ed3bcb18fc2L,
        0x10c6c61a99d9d8cL,0x259a0f5f13ce661L,0x169162969c96829L },
      { 0x113c267cb63ee53L,0x04b985d7ab0d4dfL,0x1a11191abfca67bL,
        0x277b86bda7eccdaL,0x011dc11e75ad064L,0x2e7e5d9535e9bc0L,
        0x2b133280f030b8dL,0x3318a8800068fc2L,0x194e17c98d239d8L } },
    /* 226 */
    { { 0x20d80b41d8fe898L,0x28a2dcc86114d1cL,0x038504f217408d7L,
        0x35459aa9abfc7cfL,0x0cc560e355d381cL,0x39878b367379821L,
        0x34951acb041f0a5L,0x2b0b188445bd766L,0x0c4509e16d37ee2L },
      { 0x02a20c42c6fd79eL,0x1fb938ebde2c3aeL,0x23c1bad819ca95bL,
        0x37a615495a4f66dL,0x2f9c19d0f10d674L,0x1f179aa45f7992cL,
        0x22db6fa03fabaf4L,0x3463a162f12b4b3L,0x0c976c2380a1fc9L } },
    /* 227 */
    { { 0x1171ef8b064f114L,0x2c55953cbc3d324L,0x185457b262b783cL,
        0x0043cd24db0c149L,0x299a41fed468c67L,0x1fdfdaa7bc9b4bfL,
        0x1bfc1bf6da2267aL,0x3b500958ee36e80L,0x00e14b36c85c340L },
      { 0x257e26425db67e6L,0x3d3a25fcba417d7L,0x2514026c426885dL,
        0x188fa1d424de0cbL,0x03c538691312be2L,0x15cd3e7615ad6f6L,
        0x2a48615b1cae559L,0x2ed61681eff8b56L,0x1d07a4c96f0ce8aL } },
    /* 228 */
    { { 0x3f54d05523aa2e9L,0x107833b4f42181eL,0x36e27f9bfb69c88L,
        0x11058af7e155a0fL,0x107b0dcc9dcb07fL,0x15e94db98b45e0eL,
        0x347d3ca2cbb8ab6L,0x18dc262e68349f3L,0x1f2ff154d685eeaL },
      { 0x28b768a56b232acL,0x35b8d8fca94aad5L,0x3a168837fc604e8L,
        0x20f4429da46eba1L,0x0f9455fbeebc58aL,0x359538bab5792bcL,
        0x3c82551a20d6c37L,0x2e4c63103f2e769L,0x0b26d7b3cd760d9L } },
    /* 229 */
    { { 0x3090c3ebb2eaf45L,0x1364718bfee4bdeL,0x3ea4a736f23ded2L,
        0x2f5bfc3f78efca8L,0x1ca1102f5b5b99eL,0x1f80caa2f28ad57L,
        0x3f17a8f6203cd80L,0x156c55042d122a2L,0x109b86660a7e1dcL },
      { 0x148b1da02a2fbd8L,0x217a2cec8ba296cL,0x20e48712b509fedL,
        0x1231a8f94584de2L,0x01633b503685601L,0x15449c45c402487L,
        0x131047939251432L,0x382eded24c7481fL,0x0ea623e722b8542L } },
    /* 230 */
    { { 0x04823d324972688L,0x20f04800fd5d882L,0x26906d0d452858bL,
        0x210b1bdd1f86535L,0x10146d89a842195L,0x1146ef0b23e28baL,
        0x3284fa29ec1de77L,0x3913fd88adae3dfL,0x06083f1dbe97b71L },
      { 0x1649333999dd56bL,0x2b02ea5e91f7a66L,0x18aebbe8fb202cfL,
        0x363d875ef299983L,0x185adc14d47c29dL,0x3e7f5071bd7ed47L,
        0x113e6ce65ac7884L,0x274f8739a7753fdL,0x0231ace591effe5L } },
    /* 231 */
    { { 0x267a438a9fda771L,0x3d94b2198c4038bL,0x1e48e133f23b626L,
        0x3c80d74b47f7ec6L,0x28d13e878599f88L,0x2d47381c5c8e844L,
        0x19ba82890aa292fL,0x052d397ce9c3aefL,0x155dde826733745L },
      { 0x0b2b77ed6f59a95L,0x214f8c080810802L,0x2ac1ebac779793fL,
        0x266d5ad99d94894L,0x19722a5006ecdcbL,0x138aeb412af6e7eL,
        0x34dd4d26210f3f0L,0x2e034329683fcc0L,0x041333d8080dac0L } },
    /* 232 */
    { { 0x051070935a85a06L,0x19b9d90bbc6d13aL,0x0b71a07b3a6d4e1L,
        0x000c0ca79aa12a4L,0x13d555259d6dd6cL,0x3e2b41788312e99L,
        0x34cccdee3b26af6L,0x19090838f5504aaL,0x1bd79798934a940L },
      { 0x2a1d1848e0c7ff0L,0x217bf2550ecd03cL,0x31aef51d318bbaeL,
        0x139d61e3e9ba590L,0x3c2895f52e5d3edL,0x3c4419f134a8a76L,
        0x3f4ee53af278771L,0x1d369b337a59279L,0x19235188da1a56dL } },
    /* 233 */
    { { 0x083212003d310edL,0x3ba33261ec0c46cL,0x1d2684c558a8d20L,
        0x33adc59fb227952L,0x04bf55bb55e25f3L,0x1872405eb3c453dL,
        0x3343c0819edc770L,0x2d7b5d669139b7aL,0x07858df9f7e04c9L },
      { 0x3a47ebb3bf13222L,0x147737a81f68453L,0x3ac3c0d8242f1e4L,
        0x134dbae1c786fa7L,0x2bea3190d93257dL,0x3af8accfd279dd6L,
        0x110096406d191f4L,0x2b1e19eab14f030L,0x1f45215cf8bd381L } },
    /* 234 */
    { { 0x07e8a8efa493b79L,0x389c2d3ac70ab0eL,0x3fa09ff22320b20L,
        0x2baa470e4f67ce4L,0x2138a8d965ee1baL,0x1ef543937b6a586L,
        0x23c8e069ab238c9L,0x1305bfda352288dL,0x158af8e00e5ce4cL },
      { 0x0cdcf06cfc509a1L,0x1047bf09b301d5bL,0x1fd64d9c57f060fL,
        0x14ccba672b1b433L,0x18b8e9510a95148L,0x04370ff563e6acfL,
        0x2f3509a7e98709bL,0x04b1e0e4210f5d7L,0x1b628ccc9d05a93L } },
    /* 235 */
    { { 0x1934f00e341463fL,0x229b3854369e807L,0x20fc4109553f14cL,
        0x16aa4fd2a476d21L,0x32cd58067c23bdeL,0x10cf72027d1f1e1L,
        0x232a7d1d3300548L,0x176a4302f9fe5d6L,0x12e08b777d588c7L },
      { 0x3c1281761a10d37L,0x2d86057143d6977L,0x15db79477c60ed7L,
        0x1dccf14c42ca2beL,0x053118267a0aa2bL,0x2d06567e417eaaeL,
        0x337784f40e98166L,0x1ab32732d09485aL,0x0c56835d77c6986L } },
    /* 236 */
    { { 0x1d714cb2b450a66L,0x222171f6ff7053aL,0x0d85b466a0c0131L,
        0x2656f7f0699956aL,0x0e67792d102a21eL,0x15429e5de835f26L,
        0x34d3372a01bb57bL,0x352550b1188cd75L,0x08b7be4e1c088daL },
      { 0x073b03f95812273L,0x1bb4cbb8fdd5fc6L,0x0eae6da6217a2e2L,
        0x1d098767d3cb1c4L,0x1b7c1da2d9b50b5L,0x12a1779d0e5c7eaL,
        0x22137b22c4fb87cL,0x0649bdcb0d147b0L,0x1731345668c77baL } },
    /* 237 */
    { { 0x23e8c7a8a3ba183L,0x33aeeff8e27e9cfL,0x06870f9ba60f4e8L,
        0x0d72d806a0e3a91L,0x212e52db455176eL,0x3dc4afc7e42f709L,
        0x2054cd95f9e4598L,0x3502e6f4c803efaL,0x17a2cf19bf6dd5fL },
      { 0x1cf6ca266736febL,0x21bd2779f3f8bdcL,0x3ce8fc290563bdeL,
        0x339c9adb93f182aL,0x13f29235baae8a3L,0x143fe97b48e0911L,
        0x3ef744a4b557f56L,0x1b74a8514f95044L,0x1b07c676a533e42L } },
    /* 238 */
    { { 0x1e603f235d96872L,0x288f30fe96e32bdL,0x071be988dc5fab1L,
        0x22750c302f55166L,0x0764d9cc3e32e84L,0x0b031035fb09a78L,
        0x3b83b4f7238212fL,0x29044b651860e21L,0x010281fa6712f18L },
      { 0x028048f64858b37L,0x0526bcd5f797660L,0x0791619ebb18e0eL,
        0x2ce7cac2e82c886L,0x21039cbae210200L,0x255e74756a1fab9L,
        0x08515e4efdcddb3L,0x1e2a86ce23aa89eL,0x02c1a552c3cc818L } },
    /* 239 */
    { { 0x2c7f5000ea723dcL,0x3c13d10ac548c5eL,0x1445be885c860a5L,
        0x0fffc465c098f52L,0x0c4c58cea61f999L,0x273580db0fee917L,
        0x3923bbe6d151e6bL,0x3f519d68eac555eL,0x1474ec07c52ceb2L },
      { 0x06a3d32ed88239dL,0x2e2b9a0d6b9a531L,0x23259feeb2e70d1L,
        0x0710ef02ed7d3f7L,0x38f62a705223bf7L,0x3f9e6694f34882dL,
        0x2b7f932224860e9L,0x2562f61561c0c92L,0x10f8e0f7330b594L } },
    /* 240 */
    { { 0x335c7bb3c67d520L,0x12562c8ff2a7b2bL,0x31948bbaa808d8fL,
        0x33884d7a2b81de3L,0x1c888eff7418c30L,0x1cc512af376366aL,
        0x06a53472075df0fL,0x1ff16d527225514L,0x11c4ef389795fbbL },
      { 0x3e2c9ac43f5e698L,0x1ff2f38e2978e8fL,0x090e3089c2e1ce7L,
        0x3feb0756005b417L,0x0381b9d2a5a74f3L,0x17ce582ebbb6888L,
        0x37abbed958b143fL,0x2dc6197ff414436L,0x0ce8e97e6807a05L } },
    /* 241 */
    { { 0x251e61b8ce86a83L,0x10567efdf9c5808L,0x3dd748f03377860L,
        0x0dd1414890bf049L,0x0934ea09b87cb2cL,0x119e5106f52543dL,
        0x3a416a5146c403cL,0x23ac7a2b51c408eL,0x1b389b81a60af63L },
      { 0x299934ee8150c69L,0x1d642389f052f39L,0x28916a0194ff74fL,
        0x0c86f546dd97702L,0x21877963038f49dL,0x34ed29a1af0cc17L,
        0x0af189fe2f3fbffL,0x0426c5026cddf5fL,0x1b3029ea13b9b8fL } },
    /* 242 */
    { { 0x37938d225a2fd88L,0x3cbdf33ae8180fbL,0x1c80d7a6dff4890L,
        0x0d8a20fe61930f8L,0x2998e530500c78fL,0x097771cfb64ad64L,
        0x13708a018a8f1b3L,0x0a2edb7ff661f57L,0x059dcd3554f0d1fL },
      { 0x3c6e41d23a74e7dL,0x187af976ccb7d85L,0x3fa79e7ffa0b94bL,
        0x2dcbaede834f0bfL,0x201adf9c3473662L,0x119e4992a19057bL,
        0x209c571502c3265L,0x242185a444d24beL,0x195897f34aa2474L } },
    /* 243 */
    { { 0x045d359abadc253L,0x12e4b31e5f25792L,0x35bd9a218212e05L,
        0x17a94ae209c8aa6L,0x22e61c6769bb80aL,0x22c3e2cfa8e39e3L,
        0x1d854cfb274b1a0L,0x0b5cedaa90b8f6eL,0x1638ba225235601L },
      { 0x0ec0e6f75c8c576L,0x0839f392f1f749fL,0x20c869d80726abbL,
        0x1aa2808fadc2562L,0x276110b15a908c6L,0x21bd869b2a7d43aL,
        0x0a69d8668c99941L,0x2843e777c8bb4a8L,0x1e0bfee1897bbf8L } },
    /* 244 */
    { { 0x2d8681848319e4fL,0x1bdad56961be809L,0x1886267132656beL,
        0x316614a73eafbd7L,0x162b29cfbac252aL,0x0a98d6379f3117cL,
        0x00ac70ee050609aL,0x2c7c3df2e7290a5L,0x1adfb44aaeca885L },
      { 0x2b7a936e798678eL,0x07840e655010e19L,0x1e37816860b7ca0L,
        0x20edd17615fc924L,0x0a4705ed6eeffd4L,0x0a9743dd76ecd8aL,
        0x09fee357d68d49bL,0x35a1b46a14a688eL,0x1addbbc25491a7fL } },
    /* 245 */
    { { 0x10cba20969686a3L,0x2c71578f014fd78L,0x313426f47102308L,
        0x2c5240cc0e05c4aL,0x32d01527b1f9165L,0x2a68d38916dc805L,
        0x3e35c86fcf6647aL,0x38e0947d52e52c2L,0x0e3fccb22a55a15L },
      { 0x271e4ec5b4dc0beL,0x0d89236c735712aL,0x3f43046e1007bb1L,
        0x35f6a72668fcdafL,0x28349bc505a6806L,0x04f8214272ff1bbL,
        0x3448c126871e73eL,0x2ebe579aa889d9fL,0x1b9ba77787c2da7L } },
    /* 246 */
    { { 0x2be58eec5a73375L,0x37da75ea2b10e06L,0x150aceca835a175L,
        0x027d41f4c3cb3ccL,0x3c60b0424b87b06L,0x043e43b26b94e8aL,
        0x1689bb4931e1824L,0x06a3914b1f43eb7L,0x013ab4534914763L },
      { 0x32dd8568c84f3afL,0x3702486eab8cfabL,0x2a858b96b070829L,
        0x103a2a094591950L,0x05c35322b42260dL,0x27b6834ae797b6bL,
        0x22b90abca795603L,0x14c0a1af41f1ae5L,0x10a2e22dac7b1ecL } },
    /* 247 */
    { { 0x25fc09d239d8f0aL,0x0b80f2ae2840859L,0x17680173477b92bL,
        0x27e38d8581390daL,0x19eb061beab38edL,0x3a1159c1e6c0247L,
        0x21a2e0cd4226543L,0x00c3e83ddfb1cbfL,0x0931d242162760aL },
      { 0x29f834cf8646bc3L,0x25294902ba5be7eL,0x3890379177d17dfL,
        0x113ffad9b364070L,0x077b924659dfd06L,0x3660753e06bb0bbL,
        0x37b0932df3b7f2cL,0x2762f26f0fda7cdL,0x125daef34f3dd85L } },
    /* 248 */
    { { 0x008451ba2c123bcL,0x20e9a02063e952bL,0x170298957b8ad1eL,
        0x0d3c3c4bc595b75L,0x30a9fa14dcc7f2eL,0x0bf9e0b07daa70cL,
        0x1f54ddefc9a2bbbL,0x0294f4c671a5dc2L,0x1dc0b8238cbd646L },
      { 0x249290144dfb6f6L,0x35f2d1b900749bdL,0x240e48537ad8270L,
        0x2d5c3636f6469c2L,0x2f170d58b84d661L,0x0d13874b289c88eL,
        0x1de1faeeb4cf146L,0x17a9c8957f256aeL,0x1f8cd6e110adbdcL } },
    /* 249 */
    { { 0x257c6b978b8a0a7L,0x12badba0cfb7a8aL,0x17c14bd13fe724bL,
        0x223f0ba3b927918L,0x1fb147eefc41868L,0x3998b3ee34e6292L,
        0x0ba2ece9f191f12L,0x35435861c8a2656L,0x02dbd6d0f1b00b8L },
      { 0x15cfdfe24c93cc9L,0x35de02e79c639e2L,0x3a5838baf7eb29eL,
        0x1f93772fda40722L,0x3a180d6bb022538L,0x251f1f0992c942fL,
        0x23f3cd6d68e548cL,0x0f34a0a9ed8ca64L,0x00fb8f036132d10L } },
    /* 250 */
    { { 0x198b3f08cd9d494L,0x0196e653d3e7ce0L,0x22203c738fa99b2L,
        0x0536348a72dd992L,0x0c51c54b3199f4cL,0x084e8ccb76b5d71L,
        0x0c7b2f9a32ce0bdL,0x3c82bce88421622L,0x0d16defa3625b1fL },
      { 0x0e0054819a296ebL,0x13fc5746a44c4d1L,0x2d2bfeaa454f1d9L,
        0x00d3502f5ff5f7aL,0x21801a4afae65a8L,0x178379dd813c51fL,
        0x172ca0983048f9aL,0x3445e8ec67297fdL,0x0e0a237dba71821L } },
    /* 251 */
    { { 0x1babf8491630ee8L,0x16270817ad4c07bL,0x2b2da051f47bde6L,
        0x25884aefa067df4L,0x294292124aeaa9fL,0x110d796f73b4f57L,
        0x11f66f691f5b89fL,0x3c368658130ce50L,0x0e6b7fc09ca4356L },
      { 0x294e413f74f811cL,0x0b60c77e36376c4L,0x3217963418c91a4L,
        0x06223af37b09fd5L,0x2ea305bc95fde52L,0x319a2d87f75781bL,
        0x011861ed1e6088aL,0x33af0ccebc05baeL,0x1c95ecb192d15ddL } },
    /* 252 */
    { { 0x27b37a3e0bde442L,0x10ffa19bde9cfa4L,0x1d208ed10c2ee05L,
        0x1069985e8cb4c36L,0x0d1d5cf8baf79c3L,0x0eaf3e2f9cd9e1cL,
        0x2b5e7b02d0dce9eL,0x1c317f88f4b75dcL,0x10b29fceea01ffcL },
      { 0x1bcae4d62d803ffL,0x3a44ff6f0c1aa4cL,0x27abd8c1066293eL,
        0x0ab9e9b5962bc77L,0x2102f4e06d48578L,0x0dbebf9a449964bL,
        0x37121391a3127f1L,0x058d11ae4d10220L,0x0ba53bb4380a31eL } },
    /* 253 */
    { { 0x2e517fcca5636b0L,0x1b8085aae8571d8L,0x3d7c212e7b2d429L,
        0x1b55c5eb6116aa3L,0x398b2f3579517ceL,0x3d66c1f39d8ae16L,
        0x3ef6f042f996b5dL,0x2d227cdccaaefcdL,0x15da5d145ea4542L },
      { 0x277c55eaa7f6e3fL,0x36669ea92816f07L,0x3d77458282273f4L,
        0x3eddedd23ee95b5L,0x20629f5d1db0895L,0x16600fec7121333L,
        0x20b8d0f5b1c90a3L,0x04fc90eb13ca45cL,0x0e98c10bfe872acL } },
    /* 254 */
    { { 0x11c4785c06c4fd6L,0x2e40974970ae767L,0x1eb1d4982f24bf4L,
        0x30ae93fbcac104dL,0x398de07ab3ab3edL,0x25bd2df556948e7L,
        0x04c815d5fc49ab0L,0x1acaf1428a580e1L,0x047db1148d01567L },
      { 0x09f9cc510f3bad9L,0x2223f008a407531L,0x15ebc47b44df490L,
        0x31bce7cada245e9L,0x304e9962a20b2ebL,0x1cf756dc31638ebL,
        0x29f76c52ab7c1b5L,0x328ecad52b75a8cL,0x10859dad1eb82f4L } },
    /* 255 */
    { { 0x22c4128a182d1adL,0x05e5b88245b1159L,0x0272ba681647775L,
        0x3eae4b217069dc1L,0x3aefb2e07fac8b0L,0x2186ccb481eacb7L,
        0x2ed145c73530a07L,0x292758f6fb59622L,0x0bd547bcdca0a53L },
      { 0x3c1382f87056b51L,0x247b6c4c3e644a9L,0x1e46d3805b42c3dL,
        0x3aff4c6a657df1fL,0x0cd3fb8aa456101L,0x3ac5ef387bf48adL,
        0x2c0c32fe391df79L,0x3bbd2d353031985L,0x11219f023be711bL } },
};

/* Multiply the base point of P521 by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * Stripe implementation.
 * Pre-generated: 2^0, 2^65, ...
 * Pre-generated: products of all combinations of above.
 * 8 doubles and adds (with qz=1)
 *
 * r     Resulting point.
 * k     Scalar to multiply by.
 * map   Indicates whether to convert result to affine.
 * ct    Constant time required.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_521_ecc_mulmod_base_9(sp_point_521* r, const sp_digit* k,
        int map, int ct, void* heap)
{
    return sp_521_ecc_mulmod_stripe_9(r, &p521_base, p521_table,
                                      k, map, ct, heap);
}

#endif

/* Multiply the base point of P521 by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * km    Scalar to multiply by.
 * r     Resulting point.
 * map   Indicates whether to convert result to affine.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_mulmod_base_521(const mp_int* km, ecc_point* r, int map, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_521* point = NULL;
    sp_digit* k = NULL;
#else
    sp_point_521  point[1];
    sp_digit k[9];
#endif
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    point = (sp_point_521*)XMALLOC(sizeof(sp_point_521), heap,
                                         DYNAMIC_TYPE_ECC);
    if (point == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 9, heap,
                               DYNAMIC_TYPE_ECC);
        if (k == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        sp_521_from_mp(k, 9, km);

            err = sp_521_ecc_mulmod_base_9(point, k, map, 1, heap);
    }
    if (err == MP_OKAY) {
        err = sp_521_point_to_ecc_point_9(point, r);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (k != NULL)
        XFREE(k, heap, DYNAMIC_TYPE_ECC);
    if (point != NULL)
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

/* Multiply the base point of P521 by the scalar, add point a and return
 * the result. If map is true then convert result to affine coordinates.
 *
 * km      Scalar to multiply by.
 * am      Point to add to scalar multiply result.
 * inMont  Point to add is in montgomery form.
 * r       Resulting point.
 * map     Indicates whether to convert result to affine.
 * heap    Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_mulmod_base_add_521(const mp_int* km, const ecc_point* am,
        int inMont, ecc_point* r, int map, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_521* point = NULL;
    sp_digit* k = NULL;
#else
    sp_point_521 point[2];
    sp_digit k[9 + 9 * 2 * 6];
#endif
    sp_point_521* addP = NULL;
    sp_digit* tmp = NULL;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    point = (sp_point_521*)XMALLOC(sizeof(sp_point_521) * 2, heap,
                                         DYNAMIC_TYPE_ECC);
    if (point == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        k = (sp_digit*)XMALLOC(
            sizeof(sp_digit) * (9 + 9 * 2 * 6),
            heap, DYNAMIC_TYPE_ECC);
        if (k == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        addP = point + 1;
        tmp = k + 9;

        sp_521_from_mp(k, 9, km);
        sp_521_point_from_ecc_point_9(addP, am);
    }
    if ((err == MP_OKAY) && (!inMont)) {
        err = sp_521_mod_mul_norm_9(addP->x, addP->x, p521_mod);
    }
    if ((err == MP_OKAY) && (!inMont)) {
        err = sp_521_mod_mul_norm_9(addP->y, addP->y, p521_mod);
    }
    if ((err == MP_OKAY) && (!inMont)) {
        err = sp_521_mod_mul_norm_9(addP->z, addP->z, p521_mod);
    }
    if (err == MP_OKAY) {
            err = sp_521_ecc_mulmod_base_9(point, k, 0, 0, heap);
    }
    if (err == MP_OKAY) {
            sp_521_proj_point_add_9(point, point, addP, tmp);

        if (map) {
                sp_521_map_9(point, point, tmp);
        }

        err = sp_521_point_to_ecc_point_9(point, r);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (k != NULL)
        XFREE(k, heap, DYNAMIC_TYPE_ECC);
    if (point)
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#if defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || defined(HAVE_ECC_SIGN) || \
                                                        defined(HAVE_ECC_VERIFY)
#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN | HAVE_ECC_SIGN | HAVE_ECC_VERIFY */
/* Add 1 to a. (a = a + 1)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_521_add_one_9(sp_digit* a)
{
    a[0]++;
    sp_521_norm_9(a);
}

/* Read big endian unsigned byte array into r.
 *
 * r  A single precision integer.
 * size  Maximum number of bytes to convert
 * a  Byte array.
 * n  Number of bytes in array to read.
 */
static void sp_521_from_bin(sp_digit* r, int size, const byte* a, int n)
{
    int i;
    int j = 0;
    word32 s = 0;

    r[0] = 0;
    for (i = n-1; i >= 0; i--) {
        r[j] |= (((sp_digit)a[i]) << s);
        if (s >= 50U) {
            r[j] &= 0x3ffffffffffffffL;
            s = 58U - s;
            if (j + 1 >= size) {
                break;
            }
            r[++j] = (sp_digit)a[i] >> s;
            s = 8U - s;
        }
        else {
            s += 8U;
        }
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
}

/* Generates a scalar that is in the range 1..order-1.
 *
 * rng  Random number generator.
 * k    Scalar value.
 * returns RNG failures, MEMORY_E when memory allocation fails and
 * MP_OKAY on success.
 */
static int sp_521_ecc_gen_k_9(WC_RNG* rng, sp_digit* k)
{
    int err;
    byte buf[66];

    do {
        err = wc_RNG_GenerateBlock(rng, buf, sizeof(buf));
        if (err == 0) {
            buf[0] &= 0x1;
            sp_521_from_bin(k, 9, buf, (int)sizeof(buf));
            if (sp_521_cmp_9(k, p521_order2) <= 0) {
                sp_521_add_one_9(k);
                break;
            }
        }
    }
    while (err == 0);

    return err;
}

/* Makes a random EC key pair.
 *
 * rng   Random number generator.
 * priv  Generated private value.
 * pub   Generated public point.
 * heap  Heap to use for allocation.
 * returns ECC_INF_E when the point does not have the correct order, RNG
 * failures, MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_make_key_521(WC_RNG* rng, mp_int* priv, ecc_point* pub, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_521* point = NULL;
    sp_digit* k = NULL;
#else
    #ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
    sp_point_521 point[2];
    #else
    sp_point_521 point[1];
    #endif
    sp_digit k[9];
#endif
#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
    sp_point_521* infinity = NULL;
#endif
    int err = MP_OKAY;


    (void)heap;

#ifdef WOLFSSL_SP_SMALL_STACK
    #ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
    point = (sp_point_521*)XMALLOC(sizeof(sp_point_521) * 2, heap, DYNAMIC_TYPE_ECC);
    #else
    point = (sp_point_521*)XMALLOC(sizeof(sp_point_521), heap, DYNAMIC_TYPE_ECC);
    #endif
    if (point == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 9, heap,
                               DYNAMIC_TYPE_ECC);
        if (k == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
    #ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
        infinity = point + 1;
    #endif

        err = sp_521_ecc_gen_k_9(rng, k);
    }
    if (err == MP_OKAY) {
            err = sp_521_ecc_mulmod_base_9(point, k, 1, 1, NULL);
    }

#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
    if (err == MP_OKAY) {
            err = sp_521_ecc_mulmod_9(infinity, point, p521_order, 1, 1, NULL);
    }
    if (err == MP_OKAY) {
        if (sp_521_iszero_9(point->x) || sp_521_iszero_9(point->y)) {
            err = ECC_INF_E;
        }
    }
#endif

    if (err == MP_OKAY) {
        err = sp_521_to_mp(k, priv);
    }
    if (err == MP_OKAY) {
        err = sp_521_point_to_ecc_point_9(point, pub);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (k != NULL)
        XFREE(k, heap, DYNAMIC_TYPE_ECC);
    if (point != NULL) {
        /* point is not sensitive, so no need to zeroize */
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
    }
#endif

    return err;
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_ecc_key_gen_521_ctx {
    int state;
    sp_521_ecc_mulmod_9_ctx mulmod_ctx;
    sp_digit k[9];
#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
    sp_point_521  point[2];
#else
    sp_point_521 point[1];
#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN */
} sp_ecc_key_gen_521_ctx;

int sp_ecc_make_key_521_nb(sp_ecc_ctx_t* sp_ctx, WC_RNG* rng, mp_int* priv,
    ecc_point* pub, void* heap)
{
    int err = FP_WOULDBLOCK;
    sp_ecc_key_gen_521_ctx* ctx = (sp_ecc_key_gen_521_ctx*)sp_ctx->data;
#ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
    sp_point_521* infinity = ctx->point + 1;
#endif /* WOLFSSL_VALIDATE_ECC_KEYGEN */

    typedef char ctx_size_test[sizeof(sp_ecc_key_gen_521_ctx)
                               >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    switch (ctx->state) {
        case 0:
            err = sp_521_ecc_gen_k_9(rng, ctx->k);
            if (err == MP_OKAY) {
                err = FP_WOULDBLOCK;
                ctx->state = 1;
            }
            break;
        case 1:
            err = sp_521_ecc_mulmod_base_9_nb((sp_ecc_ctx_t*)&ctx->mulmod_ctx,
                      ctx->point, ctx->k, 1, 1, heap);
            if (err == MP_OKAY) {
                err = FP_WOULDBLOCK;
            #ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
                XMEMSET(&ctx->mulmod_ctx, 0, sizeof(ctx->mulmod_ctx));
                ctx->state = 2;
            #else
                ctx->state = 3;
            #endif
            }
            break;
    #ifdef WOLFSSL_VALIDATE_ECC_KEYGEN
        case 2:
            err = sp_521_ecc_mulmod_9_nb((sp_ecc_ctx_t*)&ctx->mulmod_ctx,
                      infinity, ctx->point, p521_order, 1, 1);
            if (err == MP_OKAY) {
                if (sp_521_iszero_9(ctx->point->x) ||
                    sp_521_iszero_9(ctx->point->y)) {
                    err = ECC_INF_E;
                }
                else {
                    err = FP_WOULDBLOCK;
                    ctx->state = 3;
                }
            }
            break;
    #endif /* WOLFSSL_VALIDATE_ECC_KEYGEN */
        case 3:
            err = sp_521_to_mp(ctx->k, priv);
            if (err == MP_OKAY) {
                err = sp_521_point_to_ecc_point_9(ctx->point, pub);
            }
            break;
    }

    if (err != FP_WOULDBLOCK) {
        XMEMSET(ctx, 0, sizeof(sp_ecc_key_gen_521_ctx));
    }

    return err;
}
#endif /* WOLFSSL_SP_NONBLOCK */

#ifdef HAVE_ECC_DHE
/* Write r as big endian to byte array.
 * Fixed length number of bytes written: 66
 *
 * r  A single precision integer.
 * a  Byte array.
 */
static void sp_521_to_bin_9(sp_digit* r, byte* a)
{
    int i;
    int j;
    int s = 0;
    int b;

    for (i=0; i<8; i++) {
        r[i+1] += r[i] >> 58;
        r[i] &= 0x3ffffffffffffffL;
    }
    j = 528 / 8 - 1;
    a[j] = 0;
    for (i=0; i<9 && j>=0; i++) {
        b = 0;
        /* lint allow cast of mismatch sp_digit and int */
        a[j--] |= (byte)(r[i] << s); /*lint !e9033*/
        b += 8 - s;
        if (j < 0) {
            break;
        }
        while (b < 58) {
            a[j--] = (byte)(r[i] >> b);
            b += 8;
            if (j < 0) {
                break;
            }
        }
        s = 8 - (b - 58);
        if (j >= 0) {
            a[j] = 0;
        }
        if (s != 0) {
            j++;
        }
    }
}

/* Multiply the point by the scalar and serialize the X ordinate.
 * The number is 0 padded to maximum size on output.
 *
 * priv    Scalar to multiply the point by.
 * pub     Point to multiply.
 * out     Buffer to hold X ordinate.
 * outLen  On entry, size of the buffer in bytes.
 *         On exit, length of data in buffer in bytes.
 * heap    Heap to use for allocation.
 * returns BUFFER_E if the buffer is to small for output size,
 * MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_secret_gen_521(const mp_int* priv, const ecc_point* pub, byte* out,
                          word32* outLen, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_521* point = NULL;
    sp_digit* k = NULL;
#else
    sp_point_521 point[1];
    sp_digit k[9];
#endif
    int err = MP_OKAY;

    if (*outLen < 65U) {
        err = BUFFER_E;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        point = (sp_point_521*)XMALLOC(sizeof(sp_point_521), heap,
                                         DYNAMIC_TYPE_ECC);
        if (point == NULL)
            err = MEMORY_E;
    }
    if (err == MP_OKAY) {
        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 9, heap,
                               DYNAMIC_TYPE_ECC);
        if (k == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        sp_521_from_mp(k, 9, priv);
        sp_521_point_from_ecc_point_9(point, pub);
            err = sp_521_ecc_mulmod_9(point, point, k, 1, 1, heap);
    }
    if (err == MP_OKAY) {
        sp_521_to_bin_9(point->x, out);
        *outLen = 66;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (k != NULL)
        XFREE(k, heap, DYNAMIC_TYPE_ECC);
    if (point != NULL)
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_ecc_sec_gen_521_ctx {
    int state;
    union {
        sp_521_ecc_mulmod_9_ctx mulmod_ctx;
    };
    sp_digit k[9];
    sp_point_521 point;
} sp_ecc_sec_gen_521_ctx;

int sp_ecc_secret_gen_521_nb(sp_ecc_ctx_t* sp_ctx, const mp_int* priv,
    const ecc_point* pub, byte* out, word32* outLen, void* heap)
{
    int err = FP_WOULDBLOCK;
    sp_ecc_sec_gen_521_ctx* ctx = (sp_ecc_sec_gen_521_ctx*)sp_ctx->data;

    typedef char ctx_size_test[sizeof(sp_ecc_sec_gen_521_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    if (*outLen < 32U) {
        err = BUFFER_E;
    }

    switch (ctx->state) {
        case 0:
            sp_521_from_mp(ctx->k, 9, priv);
            sp_521_point_from_ecc_point_9(&ctx->point, pub);
            ctx->state = 1;
            break;
        case 1:
            err = sp_521_ecc_mulmod_9_nb((sp_ecc_ctx_t*)&ctx->mulmod_ctx,
                      &ctx->point, &ctx->point, ctx->k, 1, 1, heap);
            if (err == MP_OKAY) {
                sp_521_to_bin_9(ctx->point.x, out);
                *outLen = 66;
            }
            break;
    }

    if (err == MP_OKAY && ctx->state != 1) {
        err = FP_WOULDBLOCK;
    }
    if (err != FP_WOULDBLOCK) {
        XMEMSET(ctx, 0, sizeof(sp_ecc_sec_gen_521_ctx));
    }

    return err;
}
#endif /* WOLFSSL_SP_NONBLOCK */
#endif /* HAVE_ECC_DHE */

#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
SP_NOINLINE static void sp_521_rshift_9(sp_digit* r, const sp_digit* a,
        byte n)
{
    int i;

#ifdef WOLFSSL_SP_SMALL
    for (i=0; i<8; i++) {
        r[i] = ((a[i] >> n) | (a[i + 1] << (58 - n))) & 0x3ffffffffffffffL;
    }
#else
    for (i=0; i<8; i += 8) {
        r[i+0] = (a[i+0] >> n) | ((a[i+1] << (58 - n)) & 0x3ffffffffffffffL);
        r[i+1] = (a[i+1] >> n) | ((a[i+2] << (58 - n)) & 0x3ffffffffffffffL);
        r[i+2] = (a[i+2] >> n) | ((a[i+3] << (58 - n)) & 0x3ffffffffffffffL);
        r[i+3] = (a[i+3] >> n) | ((a[i+4] << (58 - n)) & 0x3ffffffffffffffL);
        r[i+4] = (a[i+4] >> n) | ((a[i+5] << (58 - n)) & 0x3ffffffffffffffL);
        r[i+5] = (a[i+5] >> n) | ((a[i+6] << (58 - n)) & 0x3ffffffffffffffL);
        r[i+6] = (a[i+6] >> n) | ((a[i+7] << (58 - n)) & 0x3ffffffffffffffL);
        r[i+7] = (a[i+7] >> n) | ((a[i+8] << (58 - n)) & 0x3ffffffffffffffL);
    }
#endif /* WOLFSSL_SP_SMALL */
    r[8] = a[8] >> n;
}

#endif
#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
/* Multiply a by scalar b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_521_mul_d_9(sp_digit* r, const sp_digit* a,
    sp_digit b)
{
#ifdef WOLFSSL_SP_SMALL
    sp_int128 tb = b;
    sp_int128 t = 0;
    int i;

    for (i = 0; i < 9; i++) {
        t += tb * a[i];
        r[i] = (sp_digit)(t & 0x3ffffffffffffffL);
        t >>= 58;
    }
    r[9] = (sp_digit)t;
#else
    sp_int128 tb = b;
    sp_int128 t[9];

    t[ 0] = tb * a[ 0];
    t[ 1] = tb * a[ 1];
    t[ 2] = tb * a[ 2];
    t[ 3] = tb * a[ 3];
    t[ 4] = tb * a[ 4];
    t[ 5] = tb * a[ 5];
    t[ 6] = tb * a[ 6];
    t[ 7] = tb * a[ 7];
    t[ 8] = tb * a[ 8];
    r[ 0] = (sp_digit)                 (t[ 0] & 0x3ffffffffffffffL);
    r[ 1] = (sp_digit)((t[ 0] >> 58) + (t[ 1] & 0x3ffffffffffffffL));
    r[ 2] = (sp_digit)((t[ 1] >> 58) + (t[ 2] & 0x3ffffffffffffffL));
    r[ 3] = (sp_digit)((t[ 2] >> 58) + (t[ 3] & 0x3ffffffffffffffL));
    r[ 4] = (sp_digit)((t[ 3] >> 58) + (t[ 4] & 0x3ffffffffffffffL));
    r[ 5] = (sp_digit)((t[ 4] >> 58) + (t[ 5] & 0x3ffffffffffffffL));
    r[ 6] = (sp_digit)((t[ 5] >> 58) + (t[ 6] & 0x3ffffffffffffffL));
    r[ 7] = (sp_digit)((t[ 6] >> 58) + (t[ 7] & 0x3ffffffffffffffL));
    r[ 8] = (sp_digit)((t[ 7] >> 58) + (t[ 8] & 0x3ffffffffffffffL));
    r[ 9] = (sp_digit) (t[ 8] >> 58);
#endif /* WOLFSSL_SP_SMALL */
}

SP_NOINLINE static void sp_521_lshift_18(sp_digit* r, const sp_digit* a,
        byte n)
{
#ifdef WOLFSSL_SP_SMALL
    int i;

    r[18] = a[17] >> (58 - n);
    for (i=17; i>0; i--) {
        r[i] = ((a[i] << n) | (a[i-1] >> (58 - n))) & 0x3ffffffffffffffL;
    }
#else
    sp_int_digit s;
    sp_int_digit t;

    s = (sp_int_digit)a[17];
    r[18] = s >> (58U - n);
    s = (sp_int_digit)(a[17]); t = (sp_int_digit)(a[16]);
    r[17] = ((s << n) | (t >> (58U - n))) & 0x3ffffffffffffffUL;
    s = (sp_int_digit)(a[16]); t = (sp_int_digit)(a[15]);
    r[16] = ((s << n) | (t >> (58U - n))) & 0x3ffffffffffffffUL;
    s = (sp_int_digit)(a[15]); t = (sp_int_digit)(a[14]);
    r[15] = ((s << n) | (t >> (58U - n))) & 0x3ffffffffffffffUL;
    s = (sp_int_digit)(a[14]); t = (sp_int_digit)(a[13]);
    r[14] = ((s << n) | (t >> (58U - n))) & 0x3ffffffffffffffUL;
    s = (sp_int_digit)(a[13]); t = (sp_int_digit)(a[12]);
    r[13] = ((s << n) | (t >> (58U - n))) & 0x3ffffffffffffffUL;
    s = (sp_int_digit)(a[12]); t = (sp_int_digit)(a[11]);
    r[12] = ((s << n) | (t >> (58U - n))) & 0x3ffffffffffffffUL;
    s = (sp_int_digit)(a[11]); t = (sp_int_digit)(a[10]);
    r[11] = ((s << n) | (t >> (58U - n))) & 0x3ffffffffffffffUL;
    s = (sp_int_digit)(a[10]); t = (sp_int_digit)(a[9]);
    r[10] = ((s << n) | (t >> (58U - n))) & 0x3ffffffffffffffUL;
    s = (sp_int_digit)(a[9]); t = (sp_int_digit)(a[8]);
    r[9] = ((s << n) | (t >> (58U - n))) & 0x3ffffffffffffffUL;
    s = (sp_int_digit)(a[8]); t = (sp_int_digit)(a[7]);
    r[8] = ((s << n) | (t >> (58U - n))) & 0x3ffffffffffffffUL;
    s = (sp_int_digit)(a[7]); t = (sp_int_digit)(a[6]);
    r[7] = ((s << n) | (t >> (58U - n))) & 0x3ffffffffffffffUL;
    s = (sp_int_digit)(a[6]); t = (sp_int_digit)(a[5]);
    r[6] = ((s << n) | (t >> (58U - n))) & 0x3ffffffffffffffUL;
    s = (sp_int_digit)(a[5]); t = (sp_int_digit)(a[4]);
    r[5] = ((s << n) | (t >> (58U - n))) & 0x3ffffffffffffffUL;
    s = (sp_int_digit)(a[4]); t = (sp_int_digit)(a[3]);
    r[4] = ((s << n) | (t >> (58U - n))) & 0x3ffffffffffffffUL;
    s = (sp_int_digit)(a[3]); t = (sp_int_digit)(a[2]);
    r[3] = ((s << n) | (t >> (58U - n))) & 0x3ffffffffffffffUL;
    s = (sp_int_digit)(a[2]); t = (sp_int_digit)(a[1]);
    r[2] = ((s << n) | (t >> (58U - n))) & 0x3ffffffffffffffUL;
    s = (sp_int_digit)(a[1]); t = (sp_int_digit)(a[0]);
    r[1] = ((s << n) | (t >> (58U - n))) & 0x3ffffffffffffffUL;
#endif /* WOLFSSL_SP_SMALL */
    r[0] = (a[0] << n) & 0x3ffffffffffffffL;
}

/* Divide d in a and put remainder into r (m*d + r = a)
 * m is not calculated as it is not needed at this time.
 *
 * Simplified based on top word of divisor being (1 << 58) - 1
 *
 * a  Number to be divided.
 * d  Number to divide with.
 * m  Multiplier result.
 * r  Remainder from the division.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_521_div_9(const sp_digit* a, const sp_digit* d,
        const sp_digit* m, sp_digit* r)
{
    int i;
    sp_digit r1;
    sp_digit mask;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* t1 = NULL;
#else
    sp_digit t1[4 * 9 + 3];
#endif
    sp_digit* t2 = NULL;
    sp_digit* sd = NULL;
    int err = MP_OKAY;

    (void)m;

#ifdef WOLFSSL_SP_SMALL_STACK
    t1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * (4 * 9 + 3), NULL,
                                                       DYNAMIC_TYPE_TMP_BUFFER);
    if (t1 == NULL)
        err = MEMORY_E;
#endif

    (void)m;

    if (err == MP_OKAY) {
        t2 = t1 + 18 + 1;
        sd = t2 + 9 + 1;

        sp_521_mul_d_9(sd, d, (sp_digit)1 << 1);
        sp_521_lshift_18(t1, a, 1);
        t1[9 + 9] += t1[9 + 9 - 1] >> 58;
        t1[9 + 9 - 1] &= 0x3ffffffffffffffL;
        for (i=8; i>=0; i--) {
            r1 = t1[9 + i];
            sp_521_mul_d_9(t2, sd, r1);
            (void)sp_521_sub_9(&t1[i], &t1[i], t2);
            t1[9 + i] -= t2[9];
            sp_521_norm_9(&t1[i + 1]);

            mask = ~((t1[9 + i] - 1) >> 63);
            sp_521_cond_sub_9(t1 + i, t1 + i, sd, mask);
            sp_521_norm_9(&t1[i + 1]);
        }
        sp_521_norm_9(t1);
        sp_521_rshift_9(r, t1, 1);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t1 != NULL)
        XFREE(t1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
}

/* Reduce a modulo m into r. (r = a mod m)
 *
 * r  A single precision number that is the reduced result.
 * a  A single precision number that is to be reduced.
 * m  A single precision number that is the modulus to reduce with.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_521_mod_9(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    return sp_521_div_9(a, m, NULL, r);
}

#endif
#if defined(HAVE_ECC_SIGN) || defined(HAVE_ECC_VERIFY)
/* Multiply two number mod the order of P521 curve. (r = a * b mod order)
 *
 * r  Result of the multiplication.
 * a  First operand of the multiplication.
 * b  Second operand of the multiplication.
 */
static void sp_521_mont_mul_order_9(sp_digit* r, const sp_digit* a, const sp_digit* b)
{
    sp_521_mul_9(r, a, b);
    sp_521_mont_reduce_order_9(r, p521_order, p521_mp_order);
}

#if defined(HAVE_ECC_SIGN) || (defined(HAVE_ECC_VERIFY) && defined(WOLFSSL_SP_SMALL))
#ifdef WOLFSSL_SP_SMALL
/* Order-2 for the P521 curve. */
static const uint64_t p521_order_minus_2[9] = {
    0xbb6fb71e91386407U,0x3bb5c9b8899c47aeU,0x7fcc0148f709a5d0U,
    0x51868783bf2f966bU,0xfffffffffffffffaU,0xffffffffffffffffU,
    0xffffffffffffffffU,0xffffffffffffffffU,0x00000000000001ffU
};
#else
/* The low half of the order-2 of the P521 curve. */
static const uint64_t p521_order_low[5] = {
    0xbb6fb71e91386407U,0x3bb5c9b8899c47aeU,0x7fcc0148f709a5d0U,
    0x51868783bf2f966bU,0xfffffffffffffffaU
};
#endif /* WOLFSSL_SP_SMALL */

/* Square number mod the order of P521 curve. (r = a * a mod order)
 *
 * r  Result of the squaring.
 * a  Number to square.
 */
static void sp_521_mont_sqr_order_9(sp_digit* r, const sp_digit* a)
{
    sp_521_sqr_9(r, a);
    sp_521_mont_reduce_order_9(r, p521_order, p521_mp_order);
}

#ifndef WOLFSSL_SP_SMALL
/* Square number mod the order of P521 curve a number of times.
 * (r = a ^ n mod order)
 *
 * r  Result of the squaring.
 * a  Number to square.
 */
static void sp_521_mont_sqr_n_order_9(sp_digit* r, const sp_digit* a, int n)
{
    int i;

    sp_521_mont_sqr_order_9(r, a);
    for (i=1; i<n; i++) {
        sp_521_mont_sqr_order_9(r, r);
    }
}
#endif /* !WOLFSSL_SP_SMALL */

/* Invert the number, in Montgomery form, modulo the order of the P521 curve.
 * (r = 1 / a mod order)
 *
 * r   Inverse result.
 * a   Number to invert.
 * td  Temporary data.
 */

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_521_mont_inv_order_9_ctx {
    int state;
    int i;
} sp_521_mont_inv_order_9_ctx;
static int sp_521_mont_inv_order_9_nb(sp_ecc_ctx_t* sp_ctx, sp_digit* r, const sp_digit* a,
        sp_digit* t)
{
    int err = FP_WOULDBLOCK;
    sp_521_mont_inv_order_9_ctx* ctx = (sp_521_mont_inv_order_9_ctx*)sp_ctx;

    typedef char ctx_size_test[sizeof(sp_521_mont_inv_order_9_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    switch (ctx->state) {
    case 0:
        XMEMCPY(t, a, sizeof(sp_digit) * 9);
        ctx->i = 519;
        ctx->state = 1;
        break;
    case 1:
        sp_521_mont_sqr_order_9(t, t);
        ctx->state = 2;
        break;
    case 2:
        if ((p521_order_minus_2[ctx->i / 64] & ((sp_int_digit)1 << (ctx->i % 64))) != 0) {
            sp_521_mont_mul_order_9(t, t, a);
        }
        ctx->i--;
        ctx->state = (ctx->i == 0) ? 3 : 1;
        break;
    case 3:
        XMEMCPY(r, t, sizeof(sp_digit) * 9U);
        err = MP_OKAY;
        break;
    }
    return err;
}
#endif /* WOLFSSL_SP_NONBLOCK */

static void sp_521_mont_inv_order_9(sp_digit* r, const sp_digit* a,
        sp_digit* td)
{
#ifdef WOLFSSL_SP_SMALL
    sp_digit* t = td;
    int i;

    XMEMCPY(t, a, sizeof(sp_digit) * 9);
    for (i=519; i>=0; i--) {
        sp_521_mont_sqr_order_9(t, t);
        if ((p521_order_minus_2[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
            sp_521_mont_mul_order_9(t, t, a);
        }
    }
    XMEMCPY(r, t, sizeof(sp_digit) * 9U);
#else
    sp_digit* t = td;
    sp_digit* t2 = td + 2 * 9;
    sp_digit* t3 = td + 4 * 9;
    int i;

    /* t = a^2 */
    sp_521_mont_sqr_order_9(t, a);
    /* t = a^3 = t * a */
    sp_521_mont_mul_order_9(t, t, a);
    /* t= a^c = t ^ 2 ^ 2 */
    sp_521_mont_sqr_n_order_9(t2, t, 2);
    /* t = a^f = t2 * t */
    sp_521_mont_mul_order_9(t, t2, t);

    /* t3 = a^1e */
    sp_521_mont_sqr_order_9(t3, t);
    /* t3 = a^1f = t3 * a */
    sp_521_mont_mul_order_9(t3, t3, a);

    /* t2= a^f0 = t ^ 2 ^ 4 */
    sp_521_mont_sqr_n_order_9(t2, t, 4);
    /* t = a^ff = t2 * t */
    sp_521_mont_mul_order_9(t, t2, t);
    /* t2= a^ff00 = t ^ 2 ^ 8 */
    sp_521_mont_sqr_n_order_9(t2, t, 8);
    /* t3= a^ffff = t2 * t */
    sp_521_mont_mul_order_9(t, t2, t);
    /* t2= a^ffff0000 = t ^ 2 ^ 16 */
    sp_521_mont_sqr_n_order_9(t2, t, 16);
    /* t = a^ffffffff = t2 * t */
    sp_521_mont_mul_order_9(t, t2, t);

    /* t2= a^ffffffff00000000 = t ^ 2 ^ 32 */
    sp_521_mont_sqr_n_order_9(t2, t, 32);
    /* t = a^ffffffffffffffff = t2 * t */
    sp_521_mont_mul_order_9(t, t2, t);
    /* t2= a^ffffffffffffffff0000000000000000 = t ^ 2 ^ 64 */
    sp_521_mont_sqr_n_order_9(t2, t, 64);
    /* t = a^ffffffffffffffffffffffffffffffff = t2 * t */
    sp_521_mont_mul_order_9(t, t2, t);
    /* t2= a^ffffffffffffffffffffffffffffffff00000000000000000000000000000000 = t ^ 2 ^ 128 */
    sp_521_mont_sqr_n_order_9(t2, t, 128);
    /* t = a^ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff = t2 * t */
    sp_521_mont_mul_order_9(t, t2, t);

    /* t2 = a^1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe0 */
    sp_521_mont_sqr_n_order_9(t2, t, 5);
    /* t2 = a^1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff = t * t3 */
    sp_521_mont_mul_order_9(t2, t2, t3);

    for (i=259; i>=1; i--) {
        sp_521_mont_sqr_order_9(t2, t2);
        if ((p521_order_low[i / 64] & ((sp_int_digit)1 << (i % 64))) != 0) {
            sp_521_mont_mul_order_9(t2, t2, a);
        }
    }
    sp_521_mont_sqr_order_9(t2, t2);
    sp_521_mont_mul_order_9(r, t2, a);
#endif /* WOLFSSL_SP_SMALL */
}

#endif /* HAVE_ECC_SIGN || (HAVE_ECC_VERIFY && WOLFSSL_SP_SMALL) */
#endif /* HAVE_ECC_SIGN | HAVE_ECC_VERIFY */
#ifdef HAVE_ECC_SIGN
#ifndef SP_ECC_MAX_SIG_GEN
#define SP_ECC_MAX_SIG_GEN  64
#endif

/* Calculate second signature value S from R, k and private value.
 *
 * s = (r * x + e) / k
 *
 * s    Signature value.
 * r    First signature value.
 * k    Ephemeral private key.
 * x    Private key as a number.
 * e    Hash of message as a number.
 * tmp  Temporary storage for intermediate numbers.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_521_calc_s_9(sp_digit* s, const sp_digit* r, sp_digit* k,
    sp_digit* x, const sp_digit* e, sp_digit* tmp)
{
    int err;
    sp_digit carry;
    sp_int64 c;
    sp_digit* kInv = k;

    /* Conv k to Montgomery form (mod order) */
        sp_521_mul_9(k, k, p521_norm_order);
    err = sp_521_mod_9(k, k, p521_order);
    if (err == MP_OKAY) {
        sp_521_norm_9(k);

        /* kInv = 1/k mod order */
            sp_521_mont_inv_order_9(kInv, k, tmp);
        sp_521_norm_9(kInv);

        /* s = r * x + e */
            sp_521_mul_9(x, x, r);
        err = sp_521_mod_9(x, x, p521_order);
    }
    if (err == MP_OKAY) {
        sp_521_norm_9(x);
        carry = sp_521_add_9(s, e, x);
        sp_521_cond_sub_9(s, s, p521_order, 0 - carry);
        sp_521_norm_9(s);
        c = sp_521_cmp_9(s, p521_order);
        sp_521_cond_sub_9(s, s, p521_order,
            (sp_digit)0 - (sp_digit)(c >= 0));
        sp_521_norm_9(s);

        /* s = s * k^-1 mod order */
            sp_521_mont_mul_order_9(s, s, kInv);
        sp_521_norm_9(s);
    }

    return err;
}

/* Sign the hash using the private key.
 *   e = [hash, 521 bits] from binary
 *   r = (k.G)->x mod order
 *   s = (r * x + e) / k mod order
 * The hash is truncated to the first 521 bits.
 *
 * hash     Hash to sign.
 * hashLen  Length of the hash data.
 * rng      Random number generator.
 * priv     Private part of key - scalar.
 * rm       First part of result as an mp_int.
 * sm       Sirst part of result as an mp_int.
 * heap     Heap to use for allocation.
 * returns RNG failures, MEMORY_E when memory allocation fails and
 * MP_OKAY on success.
 */
int sp_ecc_sign_521(const byte* hash, word32 hashLen, WC_RNG* rng,
    const mp_int* priv, mp_int* rm, mp_int* sm, mp_int* km, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* e = NULL;
    sp_point_521* point = NULL;
#else
    sp_digit e[7 * 2 * 9];
    sp_point_521 point[1];
#endif
    sp_digit* x = NULL;
    sp_digit* k = NULL;
    sp_digit* r = NULL;
    sp_digit* tmp = NULL;
    sp_digit* s = NULL;
    sp_int64 c;
    int err = MP_OKAY;
    int i;

    (void)heap;

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        point = (sp_point_521*)XMALLOC(sizeof(sp_point_521), heap,
                                             DYNAMIC_TYPE_ECC);
        if (point == NULL)
            err = MEMORY_E;
    }
    if (err == MP_OKAY) {
        e = (sp_digit*)XMALLOC(sizeof(sp_digit) * 7 * 2 * 9, heap,
                               DYNAMIC_TYPE_ECC);
        if (e == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        x = e + 2 * 9;
        k = e + 4 * 9;
        r = e + 6 * 9;
        tmp = e + 8 * 9;
        s = e;

        if (hashLen > 66U) {
            hashLen = 66U;
        }
    }

    for (i = SP_ECC_MAX_SIG_GEN; err == MP_OKAY && i > 0; i--) {
        /* New random point. */
        if (km == NULL || mp_iszero(km)) {
            err = sp_521_ecc_gen_k_9(rng, k);
        }
        else {
            sp_521_from_mp(k, 9, km);
            mp_zero(km);
        }
        if (err == MP_OKAY) {
                err = sp_521_ecc_mulmod_base_9(point, k, 1, 1, heap);
        }

        if (err == MP_OKAY) {
            /* r = point->x mod order */
            XMEMCPY(r, point->x, sizeof(sp_digit) * 9U);
            sp_521_norm_9(r);
            c = sp_521_cmp_9(r, p521_order);
            sp_521_cond_sub_9(r, r, p521_order,
                (sp_digit)0 - (sp_digit)(c >= 0));
            sp_521_norm_9(r);

            if (!sp_521_iszero_9(r)) {
                /* x is modified in calculation of s. */
                sp_521_from_mp(x, 9, priv);
                /* s ptr == e ptr, e is modified in calculation of s. */
                sp_521_from_bin(e, 9, hash, (int)hashLen);

                /* Take 521 leftmost bits of hash. */
                if (hashLen == 66U) {
                    sp_521_rshift_9(e, e, 7);
                    e[8] |= ((sp_digit)hash[0]) << 49;
                }

                err = sp_521_calc_s_9(s, r, k, x, e, tmp);

                /* Check that signature is usable. */
                if ((err == MP_OKAY) && (!sp_521_iszero_9(s))) {
                    break;
                }
            }
        }
#ifdef WOLFSSL_ECDSA_SET_K_ONE_LOOP
        i = 1;
#endif
    }

    if (i == 0) {
        err = RNG_FAILURE_E;
    }

    if (err == MP_OKAY) {
        err = sp_521_to_mp(r, rm);
    }
    if (err == MP_OKAY) {
        err = sp_521_to_mp(s, sm);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (e != NULL)
#endif
    {
        ForceZero(e, sizeof(sp_digit) * 7 * 2 * 9);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(e, heap, DYNAMIC_TYPE_ECC);
    #endif
    }
#ifdef WOLFSSL_SP_SMALL_STACK
    if (point != NULL)
#endif
    {
        ForceZero(point, sizeof(sp_point_521));
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
    #endif
    }

    return err;
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_ecc_sign_521_ctx {
    int state;
    union {
        sp_521_ecc_mulmod_9_ctx mulmod_ctx;
        sp_521_mont_inv_order_9_ctx mont_inv_order_ctx;
    };
    sp_digit e[2*9];
    sp_digit x[2*9];
    sp_digit k[2*9];
    sp_digit r[2*9];
    sp_digit tmp[3 * 2*9];
    sp_point_521 point;
    sp_digit* s;
    sp_digit* kInv;
    int i;
} sp_ecc_sign_521_ctx;

int sp_ecc_sign_521_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, WC_RNG* rng,
    mp_int* priv, mp_int* rm, mp_int* sm, mp_int* km, void* heap)
{
    int err = FP_WOULDBLOCK;
    sp_ecc_sign_521_ctx* ctx = (sp_ecc_sign_521_ctx*)sp_ctx->data;

    typedef char ctx_size_test[sizeof(sp_ecc_sign_521_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    switch (ctx->state) {
    case 0: /* INIT */
        ctx->s = ctx->e;
        ctx->kInv = ctx->k;

        ctx->i = SP_ECC_MAX_SIG_GEN;
        ctx->state = 1;
        break;
    case 1: /* GEN */
        /* New random point. */
        if (km == NULL || mp_iszero(km)) {
            err = sp_521_ecc_gen_k_9(rng, ctx->k);
        }
        else {
            sp_521_from_mp(ctx->k, 9, km);
            mp_zero(km);
        }
        XMEMSET(&ctx->mulmod_ctx, 0, sizeof(ctx->mulmod_ctx));
        ctx->state = 2;
        break;
    case 2: /* MULMOD */
        err = sp_521_ecc_mulmod_9_nb((sp_ecc_ctx_t*)&ctx->mulmod_ctx,
            &ctx->point, &p521_base, ctx->k, 1, 1, heap);
        if (err == MP_OKAY) {
            ctx->state = 3;
        }
        break;
    case 3: /* MODORDER */
    {
        sp_int64 c;
        /* r = point->x mod order */
        XMEMCPY(ctx->r, ctx->point.x, sizeof(sp_digit) * 9U);
        sp_521_norm_9(ctx->r);
        c = sp_521_cmp_9(ctx->r, p521_order);
        sp_521_cond_sub_9(ctx->r, ctx->r, p521_order,
            (sp_digit)0 - (sp_digit)(c >= 0));
        sp_521_norm_9(ctx->r);

        if (hashLen > 66U) {
            hashLen = 66U;
        }
        sp_521_from_mp(ctx->x, 9, priv);
        sp_521_from_bin(ctx->e, 9, hash, (int)hashLen);
        if (hashLen == 66U) {
            sp_521_rshift_9(ctx->e, ctx->e, 7);
            ctx->e[8] |= ((sp_digit)hash[0]) << 49;
        }
        ctx->state = 4;
        break;
    }
    case 4: /* KMODORDER */
        /* Conv k to Montgomery form (mod order) */
        sp_521_mul_9(ctx->k, ctx->k, p521_norm_order);
        err = sp_521_mod_9(ctx->k, ctx->k, p521_order);
        if (err == MP_OKAY) {
            sp_521_norm_9(ctx->k);
            XMEMSET(&ctx->mont_inv_order_ctx, 0, sizeof(ctx->mont_inv_order_ctx));
            ctx->state = 5;
        }
        break;
    case 5: /* KINV */
        /* kInv = 1/k mod order */
        err = sp_521_mont_inv_order_9_nb((sp_ecc_ctx_t*)&ctx->mont_inv_order_ctx, ctx->kInv, ctx->k, ctx->tmp);
        if (err == MP_OKAY) {
            XMEMSET(&ctx->mont_inv_order_ctx, 0, sizeof(ctx->mont_inv_order_ctx));
            ctx->state = 6;
        }
        break;
    case 6: /* KINVNORM */
        sp_521_norm_9(ctx->kInv);
        ctx->state = 7;
        break;
    case 7: /* R */
        /* s = r * x + e */
        sp_521_mul_9(ctx->x, ctx->x, ctx->r);
        ctx->state = 8;
        break;
    case 8: /* S1 */
        err = sp_521_mod_9(ctx->x, ctx->x, p521_order);
        if (err == MP_OKAY)
            ctx->state = 9;
        break;
    case 9: /* S2 */
    {
        sp_digit carry;
        sp_int64 c;
        sp_521_norm_9(ctx->x);
        carry = sp_521_add_9(ctx->s, ctx->e, ctx->x);
        sp_521_cond_sub_9(ctx->s, ctx->s,
            p521_order, 0 - carry);
        sp_521_norm_9(ctx->s);
        c = sp_521_cmp_9(ctx->s, p521_order);
        sp_521_cond_sub_9(ctx->s, ctx->s, p521_order,
            (sp_digit)0 - (sp_digit)(c >= 0));
        sp_521_norm_9(ctx->s);

        /* s = s * k^-1 mod order */
        sp_521_mont_mul_order_9(ctx->s, ctx->s, ctx->kInv);
        sp_521_norm_9(ctx->s);

        /* Check that signature is usable. */
        if (sp_521_iszero_9(ctx->s) == 0) {
            ctx->state = 10;
            break;
        }
    #ifdef WOLFSSL_ECDSA_SET_K_ONE_LOOP
        ctx->i = 1;
    #endif

        /* not usable gen, try again */
        ctx->i--;
        if (ctx->i == 0) {
            err = RNG_FAILURE_E;
        }
        ctx->state = 1;
        break;
    }
    case 10: /* RES */
        err = sp_521_to_mp(ctx->r, rm);
        if (err == MP_OKAY) {
            err = sp_521_to_mp(ctx->s, sm);
        }
        break;
    }

    if (err == MP_OKAY && ctx->state != 10) {
        err = FP_WOULDBLOCK;
    }
    if (err != FP_WOULDBLOCK) {
        XMEMSET(ctx->e, 0, sizeof(sp_digit) * 2U * 9U);
        XMEMSET(ctx->x, 0, sizeof(sp_digit) * 2U * 9U);
        XMEMSET(ctx->k, 0, sizeof(sp_digit) * 2U * 9U);
        XMEMSET(ctx->r, 0, sizeof(sp_digit) * 2U * 9U);
        XMEMSET(ctx->tmp, 0, sizeof(sp_digit) * 3U * 2U * 9U);
    }

    return err;
}
#endif /* WOLFSSL_SP_NONBLOCK */
#endif /* HAVE_ECC_SIGN */

#ifndef WOLFSSL_SP_SMALL
static const char sp_521_tab64_9[64] = {
    64,  1, 59,  2, 60, 48, 54,  3,
    61, 40, 49, 28, 55, 34, 43,  4,
    62, 52, 38, 41, 50, 19, 29, 21,
    56, 31, 35, 12, 44, 15, 23,  5,
    63, 58, 47, 53, 39, 27, 33, 42,
    51, 37, 18, 20, 30, 11, 14, 22,
    57, 46, 26, 32, 36, 17, 10, 13,
    45, 25, 16,  9, 24,  8,  7,  6};

static int sp_521_num_bits_58_9(sp_digit v)
{
    v |= v >> 1;
    v |= v >> 2;
    v |= v >> 4;
    v |= v >> 8;
    v |= v >> 16;
    v |= v >> 32;
    return sp_521_tab64_9[((uint64_t)((v - (v >> 1))*0x07EDD5E59A4E28C2)) >> 58];
}

static int sp_521_num_bits_9(const sp_digit* a)
{
    int i;
    int r = 0;

    for (i = 8; i >= 0; i--) {
        if (a[i] != 0) {
            r = sp_521_num_bits_58_9(a[i]);
            r += i * 58;
            break;
        }
    }

    return r;
}

/* Non-constant time modular inversion.
 *
 * @param  [out]  r   Resulting number.
 * @param  [in]   a   Number to invert.
 * @param  [in]   m   Modulus.
 * @return  MP_OKAY on success.
 * @return  MEMEORY_E when dynamic memory allocation fails.
 */
static int sp_521_mod_inv_9(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    int err = MP_OKAY;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* u = NULL;
#else
    sp_digit u[9 * 4];
#endif
    sp_digit* v = NULL;
    sp_digit* b = NULL;
    sp_digit* d = NULL;
    int ut;
    int vt;

#ifdef WOLFSSL_SP_SMALL_STACK
    u = (sp_digit*)XMALLOC(sizeof(sp_digit) * 9 * 4, NULL,
                                                              DYNAMIC_TYPE_ECC);
    if (u == NULL)
        err = MEMORY_E;
#endif

    if (err == MP_OKAY) {
        v = u + 9;
        b = u + 2 * 9;
        d = u + 3 * 9;

        XMEMCPY(u, m, sizeof(sp_digit) * 9);
        XMEMCPY(v, a, sizeof(sp_digit) * 9);

        ut = sp_521_num_bits_9(u);
        vt = sp_521_num_bits_9(v);

        XMEMSET(b, 0, sizeof(sp_digit) * 9);
        if ((v[0] & 1) == 0) {
            sp_521_rshift1_9(v, v);
            XMEMCPY(d, m, sizeof(sp_digit) * 9);
            d[0]++;
            sp_521_rshift1_9(d, d);
            vt--;

            while ((v[0] & 1) == 0) {
                sp_521_rshift1_9(v, v);
                if (d[0] & 1)
                    sp_521_add_9(d, d, m);
                sp_521_rshift1_9(d, d);
                vt--;
            }
        }
        else {
            XMEMSET(d+1, 0, sizeof(sp_digit) * (9 - 1));
            d[0] = 1;
        }

        while (ut > 1 && vt > 1) {
            if ((ut > vt) || ((ut == vt) &&
                    (sp_521_cmp_9(u, v) >= 0))) {
                sp_521_sub_9(u, u, v);
                sp_521_norm_9(u);

                sp_521_sub_9(b, b, d);
                sp_521_norm_9(b);
                if (b[8] < 0)
                    sp_521_add_9(b, b, m);
                sp_521_norm_9(b);
                ut = sp_521_num_bits_9(u);

                do {
                    sp_521_rshift1_9(u, u);
                    if (b[0] & 1)
                        sp_521_add_9(b, b, m);
                    sp_521_rshift1_9(b, b);
                    ut--;
                }
                while (ut > 0 && (u[0] & 1) == 0);
            }
            else {
                sp_521_sub_9(v, v, u);
                sp_521_norm_9(v);

                sp_521_sub_9(d, d, b);
                sp_521_norm_9(d);
                if (d[8] < 0)
                    sp_521_add_9(d, d, m);
                sp_521_norm_9(d);
                vt = sp_521_num_bits_9(v);

                do {
                    sp_521_rshift1_9(v, v);
                    if (d[0] & 1)
                        sp_521_add_9(d, d, m);
                    sp_521_rshift1_9(d, d);
                    vt--;
                }
                while (vt > 0 && (v[0] & 1) == 0);
            }
        }

        if (ut == 1)
            XMEMCPY(r, b, sizeof(sp_digit) * 9);
        else
            XMEMCPY(r, d, sizeof(sp_digit) * 9);
    }
#ifdef WOLFSSL_SP_SMALL_STACK
    if (u != NULL)
        XFREE(u, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#endif /* WOLFSSL_SP_SMALL */

/* Add point p1 into point p2. Handles p1 == p2 and result at infinity.
 *
 * p1   First point to add and holds result.
 * p2   Second point to add.
 * tmp  Temporary storage for intermediate numbers.
 */
static void sp_521_add_points_9(sp_point_521* p1, const sp_point_521* p2,
    sp_digit* tmp)
{

        sp_521_proj_point_add_9(p1, p1, p2, tmp);
    if (sp_521_iszero_9(p1->z)) {
        if (sp_521_iszero_9(p1->x) && sp_521_iszero_9(p1->y)) {
                sp_521_proj_point_dbl_9(p1, p2, tmp);
        }
        else {
            /* Y ordinate is not used from here - don't set. */
            p1->x[0] = 0;
            p1->x[1] = 0;
            p1->x[2] = 0;
            p1->x[3] = 0;
            p1->x[4] = 0;
            p1->x[5] = 0;
            p1->x[6] = 0;
            p1->x[7] = 0;
            p1->x[8] = 0;
            XMEMCPY(p1->z, p521_norm_mod, sizeof(p521_norm_mod));
        }
    }
}

/* Calculate the verification point: [e/s]G + [r/s]Q
 *
 * p1    Calculated point.
 * p2    Public point and temporary.
 * s     Second part of signature as a number.
 * u1    Temporary number.
 * u2    Temporary number.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_521_calc_vfy_point_9(sp_point_521* p1, sp_point_521* p2,
    sp_digit* s, sp_digit* u1, sp_digit* u2, sp_digit* tmp, void* heap)
{
    int err;

#ifndef WOLFSSL_SP_SMALL
    err = sp_521_mod_inv_9(s, s, p521_order);
    if (err == MP_OKAY)
#endif /* !WOLFSSL_SP_SMALL */
    {
        sp_521_mul_9(s, s, p521_norm_order);
        err = sp_521_mod_9(s, s, p521_order);
    }
    if (err == MP_OKAY) {
        sp_521_norm_9(s);
#ifdef WOLFSSL_SP_SMALL
        {
            sp_521_mont_inv_order_9(s, s, tmp);
            sp_521_mont_mul_order_9(u1, u1, s);
            sp_521_mont_mul_order_9(u2, u2, s);
        }
#else
        {
            sp_521_mont_mul_order_9(u1, u1, s);
            sp_521_mont_mul_order_9(u2, u2, s);
        }
#endif /* WOLFSSL_SP_SMALL */
        {
            err = sp_521_ecc_mulmod_base_9(p1, u1, 0, 0, heap);
        }
    }
    if ((err == MP_OKAY) && sp_521_iszero_9(p1->z)) {
        p1->infinity = 1;
    }
    if (err == MP_OKAY) {
            err = sp_521_ecc_mulmod_9(p2, p2, u2, 0, 0, heap);
    }
    if ((err == MP_OKAY) && sp_521_iszero_9(p2->z)) {
        p2->infinity = 1;
    }

    if (err == MP_OKAY) {
        sp_521_add_points_9(p1, p2, tmp);
    }

    return err;
}

#ifdef HAVE_ECC_VERIFY
/* Verify the signature values with the hash and public key.
 *   e = Truncate(hash, 521)
 *   u1 = e/s mod order
 *   u2 = r/s mod order
 *   r == (u1.G + u2.Q)->x mod order
 * Optimization: Leave point in projective form.
 *   (x, y, 1) == (x' / z'*z', y' / z'*z'*z', z' / z')
 *   (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x'
 * The hash is truncated to the first 521 bits.
 *
 * hash     Hash to sign.
 * hashLen  Length of the hash data.
 * rng      Random number generator.
 * priv     Private part of key - scalar.
 * rm       First part of result as an mp_int.
 * sm       Sirst part of result as an mp_int.
 * heap     Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_verify_521(const byte* hash, word32 hashLen, const mp_int* pX,
    const mp_int* pY, const mp_int* pZ, const mp_int* rm, const mp_int* sm,
    int* res, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* u1 = NULL;
    sp_point_521* p1 = NULL;
#else
    sp_digit  u1[18 * 9];
    sp_point_521 p1[2];
#endif
    sp_digit* u2 = NULL;
    sp_digit* s = NULL;
    sp_digit* tmp = NULL;
    sp_point_521* p2 = NULL;
    sp_digit carry;
    sp_int64 c = 0;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        p1 = (sp_point_521*)XMALLOC(sizeof(sp_point_521) * 2, heap,
                                             DYNAMIC_TYPE_ECC);
        if (p1 == NULL)
            err = MEMORY_E;
    }
    if (err == MP_OKAY) {
        u1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * 18 * 9, heap,
                                                              DYNAMIC_TYPE_ECC);
        if (u1 == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        u2  = u1 + 2 * 9;
        s   = u1 + 4 * 9;
        tmp = u1 + 6 * 9;
        p2 = p1 + 1;

        if (hashLen > 66U) {
            hashLen = 66U;
        }

        sp_521_from_bin(u1, 9, hash, (int)hashLen);
        sp_521_from_mp(u2, 9, rm);
        sp_521_from_mp(s, 9, sm);
        sp_521_from_mp(p2->x, 9, pX);
        sp_521_from_mp(p2->y, 9, pY);
        sp_521_from_mp(p2->z, 9, pZ);

        if (hashLen == 66U) {
            sp_521_rshift_9(u1, u1, 7);
            u1[8] |= ((sp_digit)hash[0]) << 49;
        }

        err = sp_521_calc_vfy_point_9(p1, p2, s, u1, u2, tmp, heap);
    }
    if (err == MP_OKAY) {
        /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
        /* Reload r and convert to Montgomery form. */
        sp_521_from_mp(u2, 9, rm);
        err = sp_521_mod_mul_norm_9(u2, u2, p521_mod);
    }

    if (err == MP_OKAY) {
        /* u1 = r.z'.z' mod prime */
            sp_521_mont_sqr_9(p1->z, p1->z, p521_mod, p521_mp_mod);
            sp_521_mont_mul_9(u1, u2, p1->z, p521_mod, p521_mp_mod);
        *res = (int)(sp_521_cmp_9(p1->x, u1) == 0);
        if (*res == 0) {
            /* Reload r and add order. */
            sp_521_from_mp(u2, 9, rm);
            carry = sp_521_add_9(u2, u2, p521_order);
            /* Carry means result is greater than mod and is not valid. */
            if (carry == 0) {
                sp_521_norm_9(u2);

                /* Compare with mod and if greater or equal then not valid. */
                c = sp_521_cmp_9(u2, p521_mod);
            }
        }
        if ((*res == 0) && (c < 0)) {
            /* Convert to Montogomery form */
            err = sp_521_mod_mul_norm_9(u2, u2, p521_mod);
            if (err == MP_OKAY) {
                /* u1 = (r + 1*order).z'.z' mod prime */
                {
                    sp_521_mont_mul_9(u1, u2, p1->z, p521_mod, p521_mp_mod);
                }
                *res = (sp_521_cmp_9(p1->x, u1) == 0);
            }
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (u1 != NULL)
        XFREE(u1, heap, DYNAMIC_TYPE_ECC);
    if (p1 != NULL)
        XFREE(p1, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_ecc_verify_521_ctx {
    int state;
    union {
        sp_521_ecc_mulmod_9_ctx mulmod_ctx;
        sp_521_mont_inv_order_9_ctx mont_inv_order_ctx;
        sp_521_proj_point_dbl_9_ctx dbl_ctx;
        sp_521_proj_point_add_9_ctx add_ctx;
    };
    sp_digit u1[2*9];
    sp_digit u2[2*9];
    sp_digit s[2*9];
    sp_digit tmp[2*9 * 6];
    sp_point_521 p1;
    sp_point_521 p2;
} sp_ecc_verify_521_ctx;

int sp_ecc_verify_521_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash,
    word32 hashLen, const mp_int* pX, const mp_int* pY, const mp_int* pZ,
    const mp_int* rm, const mp_int* sm, int* res, void* heap)
{
    int err = FP_WOULDBLOCK;
    sp_ecc_verify_521_ctx* ctx = (sp_ecc_verify_521_ctx*)sp_ctx->data;

    typedef char ctx_size_test[sizeof(sp_ecc_verify_521_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    switch (ctx->state) {
    case 0: /* INIT */
        if (hashLen > 66U) {
            hashLen = 66U;
        }

        sp_521_from_bin(ctx->u1, 9, hash, (int)hashLen);
        sp_521_from_mp(ctx->u2, 9, rm);
        sp_521_from_mp(ctx->s, 9, sm);
        sp_521_from_mp(ctx->p2.x, 9, pX);
        sp_521_from_mp(ctx->p2.y, 9, pY);
        sp_521_from_mp(ctx->p2.z, 9, pZ);
        if (hashLen == 66U) {
            sp_521_rshift_9(ctx->u1, ctx->u1, 7);
            ctx->u1[8] |= ((sp_digit)hash[0]) << 49;
        }
        ctx->state = 1;
        break;
    case 1: /* NORMS0 */
        sp_521_mul_9(ctx->s, ctx->s, p521_norm_order);
        err = sp_521_mod_9(ctx->s, ctx->s, p521_order);
        if (err == MP_OKAY)
            ctx->state = 2;
        break;
    case 2: /* NORMS1 */
        sp_521_norm_9(ctx->s);
        XMEMSET(&ctx->mont_inv_order_ctx, 0, sizeof(ctx->mont_inv_order_ctx));
        ctx->state = 3;
        break;
    case 3: /* NORMS2 */
        err = sp_521_mont_inv_order_9_nb((sp_ecc_ctx_t*)&ctx->mont_inv_order_ctx, ctx->s, ctx->s, ctx->tmp);
        if (err == MP_OKAY) {
            ctx->state = 4;
        }
        break;
    case 4: /* NORMS3 */
        sp_521_mont_mul_order_9(ctx->u1, ctx->u1, ctx->s);
        ctx->state = 5;
        break;
    case 5: /* NORMS4 */
        sp_521_mont_mul_order_9(ctx->u2, ctx->u2, ctx->s);
        XMEMSET(&ctx->mulmod_ctx, 0, sizeof(ctx->mulmod_ctx));
        ctx->state = 6;
        break;
    case 6: /* MULBASE */
        err = sp_521_ecc_mulmod_9_nb((sp_ecc_ctx_t*)&ctx->mulmod_ctx, &ctx->p1, &p521_base, ctx->u1, 0, 0, heap);
        if (err == MP_OKAY) {
            if (sp_521_iszero_9(ctx->p1.z)) {
                ctx->p1.infinity = 1;
            }
            XMEMSET(&ctx->mulmod_ctx, 0, sizeof(ctx->mulmod_ctx));
            ctx->state = 7;
        }
        break;
    case 7: /* MULMOD */
        err = sp_521_ecc_mulmod_9_nb((sp_ecc_ctx_t*)&ctx->mulmod_ctx, &ctx->p2, &ctx->p2, ctx->u2, 0, 0, heap);
        if (err == MP_OKAY) {
            if (sp_521_iszero_9(ctx->p2.z)) {
                ctx->p2.infinity = 1;
            }
            XMEMSET(&ctx->add_ctx, 0, sizeof(ctx->add_ctx));
            ctx->state = 8;
        }
        break;
    case 8: /* ADD */
        err = sp_521_proj_point_add_9_nb((sp_ecc_ctx_t*)&ctx->add_ctx, &ctx->p1, &ctx->p1, &ctx->p2, ctx->tmp);
        if (err == MP_OKAY)
            ctx->state = 9;
        break;
    case 9: /* MONT */
        /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
        /* Reload r and convert to Montgomery form. */
        sp_521_from_mp(ctx->u2, 9, rm);
        err = sp_521_mod_mul_norm_9(ctx->u2, ctx->u2, p521_mod);
        if (err == MP_OKAY)
            ctx->state = 10;
        break;
    case 10: /* SQR */
        /* u1 = r.z'.z' mod prime */
        sp_521_mont_sqr_9(ctx->p1.z, ctx->p1.z, p521_mod, p521_mp_mod);
        ctx->state = 11;
        break;
    case 11: /* MUL */
        sp_521_mont_mul_9(ctx->u1, ctx->u2, ctx->p1.z, p521_mod, p521_mp_mod);
        ctx->state = 12;
        break;
    case 12: /* RES */
    {
        sp_int64 c = 0;
        err = MP_OKAY; /* math okay, now check result */
        *res = (int)(sp_521_cmp_9(ctx->p1.x, ctx->u1) == 0);
        if (*res == 0) {
            sp_digit carry;

            /* Reload r and add order. */
            sp_521_from_mp(ctx->u2, 9, rm);
            carry = sp_521_add_9(ctx->u2, ctx->u2, p521_order);
            /* Carry means result is greater than mod and is not valid. */
            if (carry == 0) {
                sp_521_norm_9(ctx->u2);

                /* Compare with mod and if greater or equal then not valid. */
                c = sp_521_cmp_9(ctx->u2, p521_mod);
            }
        }
        if ((*res == 0) && (c < 0)) {
            /* Convert to Montogomery form */
            err = sp_521_mod_mul_norm_9(ctx->u2, ctx->u2, p521_mod);
            if (err == MP_OKAY) {
                /* u1 = (r + 1*order).z'.z' mod prime */
                sp_521_mont_mul_9(ctx->u1, ctx->u2, ctx->p1.z, p521_mod,
                                                            p521_mp_mod);
                *res = (int)(sp_521_cmp_9(ctx->p1.x, ctx->u1) == 0);
            }
        }
        break;
    }
    } /* switch */

    if (err == MP_OKAY && ctx->state != 12) {
        err = FP_WOULDBLOCK;
    }

    return err;
}
#endif /* WOLFSSL_SP_NONBLOCK */
#endif /* HAVE_ECC_VERIFY */

#ifdef HAVE_ECC_CHECK_KEY
/* Check that the x and y ordinates are a valid point on the curve.
 *
 * point  EC point.
 * heap   Heap to use if dynamically allocating.
 * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
 * not on the curve and MP_OKAY otherwise.
 */
static int sp_521_ecc_is_point_9(const sp_point_521* point,
    void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* t1 = NULL;
#else
    sp_digit t1[9 * 4];
#endif
    sp_digit* t2 = NULL;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    t1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * 9 * 4, heap, DYNAMIC_TYPE_ECC);
    if (t1 == NULL)
        err = MEMORY_E;
#endif
    (void)heap;

    if (err == MP_OKAY) {
        t2 = t1 + 2 * 9;

        /* y^2 - x^3 - a.x = b */
        sp_521_sqr_9(t1, point->y);
        (void)sp_521_mod_9(t1, t1, p521_mod);
        sp_521_sqr_9(t2, point->x);
        (void)sp_521_mod_9(t2, t2, p521_mod);
        sp_521_mul_9(t2, t2, point->x);
        (void)sp_521_mod_9(t2, t2, p521_mod);
        sp_521_mont_sub_9(t1, t1, t2, p521_mod);

        /* y^2 - x^3 + 3.x = b, when a = -3  */
        sp_521_mont_add_9(t1, t1, point->x, p521_mod);
        sp_521_mont_add_9(t1, t1, point->x, p521_mod);
        sp_521_mont_add_9(t1, t1, point->x, p521_mod);


        if (sp_521_cmp_9(t1, p521_b) != 0) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t1 != NULL)
        XFREE(t1, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

/* Check that the x and y ordinates are a valid point on the curve.
 *
 * pX  X ordinate of EC point.
 * pY  Y ordinate of EC point.
 * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
 * not on the curve and MP_OKAY otherwise.
 */
int sp_ecc_is_point_521(const mp_int* pX, const mp_int* pY)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_521* pub = NULL;
#else
    sp_point_521 pub[1];
#endif
    const byte one[1] = { 1 };
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    pub = (sp_point_521*)XMALLOC(sizeof(sp_point_521), NULL,
                                       DYNAMIC_TYPE_ECC);
    if (pub == NULL)
        err = MEMORY_E;
#endif

    if (err == MP_OKAY) {
        sp_521_from_mp(pub->x, 9, pX);
        sp_521_from_mp(pub->y, 9, pY);
        sp_521_from_bin(pub->z, 9, one, (int)sizeof(one));

        err = sp_521_ecc_is_point_9(pub, NULL);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (pub != NULL)
        XFREE(pub, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

/* Check that the private scalar generates the EC point (px, py), the point is
 * on the curve and the point has the correct order.
 *
 * pX     X ordinate of EC point.
 * pY     Y ordinate of EC point.
 * privm  Private scalar that generates EC point.
 * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
 * not on the curve, ECC_INF_E if the point does not have the correct order,
 * ECC_PRIV_KEY_E when the private scalar doesn't generate the EC point and
 * MP_OKAY otherwise.
 */
int sp_ecc_check_key_521(const mp_int* pX, const mp_int* pY,
    const mp_int* privm, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* priv = NULL;
    sp_point_521* pub = NULL;
#else
    sp_digit priv[9];
    sp_point_521 pub[2];
#endif
    sp_point_521* p = NULL;
    const byte one[1] = { 1 };
    int err = MP_OKAY;


    /* Quick check the lengs of public key ordinates and private key are in
     * range. Proper check later.
     */
    if (((mp_count_bits(pX) > 521) ||
        (mp_count_bits(pY) > 521) ||
        ((privm != NULL) && (mp_count_bits(privm) > 521)))) {
        err = ECC_OUT_OF_RANGE_E;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        pub = (sp_point_521*)XMALLOC(sizeof(sp_point_521) * 2, heap,
                                           DYNAMIC_TYPE_ECC);
        if (pub == NULL)
            err = MEMORY_E;
    }
    if (err == MP_OKAY && privm) {
        priv = (sp_digit*)XMALLOC(sizeof(sp_digit) * 9, heap,
                                  DYNAMIC_TYPE_ECC);
        if (priv == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        p = pub + 1;

        sp_521_from_mp(pub->x, 9, pX);
        sp_521_from_mp(pub->y, 9, pY);
        sp_521_from_bin(pub->z, 9, one, (int)sizeof(one));
        if (privm)
            sp_521_from_mp(priv, 9, privm);

        /* Check point at infinitiy. */
        if ((sp_521_iszero_9(pub->x) != 0) &&
            (sp_521_iszero_9(pub->y) != 0)) {
            err = ECC_INF_E;
        }
    }

    /* Check range of X and Y */
    if ((err == MP_OKAY) &&
            ((sp_521_cmp_9(pub->x, p521_mod) >= 0) ||
             (sp_521_cmp_9(pub->y, p521_mod) >= 0))) {
        err = ECC_OUT_OF_RANGE_E;
    }

    if (err == MP_OKAY) {
        /* Check point is on curve */
        err = sp_521_ecc_is_point_9(pub, heap);
    }

    if (err == MP_OKAY) {
        /* Point * order = infinity */
            err = sp_521_ecc_mulmod_9(p, pub, p521_order, 1, 1, heap);
    }
    /* Check result is infinity */
    if ((err == MP_OKAY) && ((sp_521_iszero_9(p->x) == 0) ||
                             (sp_521_iszero_9(p->y) == 0))) {
        err = ECC_INF_E;
    }

    if (privm) {
        if (err == MP_OKAY) {
            /* Base * private = point */
                err = sp_521_ecc_mulmod_base_9(p, priv, 1, 1, heap);
        }
        /* Check result is public key */
        if ((err == MP_OKAY) &&
                ((sp_521_cmp_9(p->x, pub->x) != 0) ||
                 (sp_521_cmp_9(p->y, pub->y) != 0))) {
            err = ECC_PRIV_KEY_E;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (pub != NULL)
        XFREE(pub, heap, DYNAMIC_TYPE_ECC);
    if (priv != NULL)
        XFREE(priv, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}
#endif
#ifdef WOLFSSL_PUBLIC_ECC_ADD_DBL
/* Add two projective EC points together.
 * (pX, pY, pZ) + (qX, qY, qZ) = (rX, rY, rZ)
 *
 * pX   First EC point's X ordinate.
 * pY   First EC point's Y ordinate.
 * pZ   First EC point's Z ordinate.
 * qX   Second EC point's X ordinate.
 * qY   Second EC point's Y ordinate.
 * qZ   Second EC point's Z ordinate.
 * rX   Resultant EC point's X ordinate.
 * rY   Resultant EC point's Y ordinate.
 * rZ   Resultant EC point's Z ordinate.
 * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
 */
int sp_ecc_proj_add_point_521(mp_int* pX, mp_int* pY, mp_int* pZ,
                              mp_int* qX, mp_int* qY, mp_int* qZ,
                              mp_int* rX, mp_int* rY, mp_int* rZ)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* tmp = NULL;
    sp_point_521* p = NULL;
#else
    sp_digit tmp[2 * 9 * 6];
    sp_point_521 p[2];
#endif
    sp_point_521* q = NULL;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        p = (sp_point_521*)XMALLOC(sizeof(sp_point_521) * 2, NULL,
                                         DYNAMIC_TYPE_ECC);
        if (p == NULL)
            err = MEMORY_E;
    }
    if (err == MP_OKAY) {
        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 9 * 6, NULL,
                                 DYNAMIC_TYPE_ECC);
        if (tmp == NULL) {
            err = MEMORY_E;
        }
    }
#endif

    if (err == MP_OKAY) {
        q = p + 1;

        sp_521_from_mp(p->x, 9, pX);
        sp_521_from_mp(p->y, 9, pY);
        sp_521_from_mp(p->z, 9, pZ);
        sp_521_from_mp(q->x, 9, qX);
        sp_521_from_mp(q->y, 9, qY);
        sp_521_from_mp(q->z, 9, qZ);
        p->infinity = sp_521_iszero_9(p->x) &
                      sp_521_iszero_9(p->y);
        q->infinity = sp_521_iszero_9(q->x) &
                      sp_521_iszero_9(q->y);

            sp_521_proj_point_add_9(p, p, q, tmp);
    }

    if (err == MP_OKAY) {
        err = sp_521_to_mp(p->x, rX);
    }
    if (err == MP_OKAY) {
        err = sp_521_to_mp(p->y, rY);
    }
    if (err == MP_OKAY) {
        err = sp_521_to_mp(p->z, rZ);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (tmp != NULL)
        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
    if (p != NULL)
        XFREE(p, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

/* Double a projective EC point.
 * (pX, pY, pZ) + (pX, pY, pZ) = (rX, rY, rZ)
 *
 * pX   EC point's X ordinate.
 * pY   EC point's Y ordinate.
 * pZ   EC point's Z ordinate.
 * rX   Resultant EC point's X ordinate.
 * rY   Resultant EC point's Y ordinate.
 * rZ   Resultant EC point's Z ordinate.
 * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
 */
int sp_ecc_proj_dbl_point_521(mp_int* pX, mp_int* pY, mp_int* pZ,
                              mp_int* rX, mp_int* rY, mp_int* rZ)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* tmp = NULL;
    sp_point_521* p = NULL;
#else
    sp_digit tmp[2 * 9 * 2];
    sp_point_521 p[1];
#endif
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        p = (sp_point_521*)XMALLOC(sizeof(sp_point_521), NULL,
                                         DYNAMIC_TYPE_ECC);
        if (p == NULL)
            err = MEMORY_E;
    }
    if (err == MP_OKAY) {
        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 9 * 2, NULL,
                                 DYNAMIC_TYPE_ECC);
        if (tmp == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        sp_521_from_mp(p->x, 9, pX);
        sp_521_from_mp(p->y, 9, pY);
        sp_521_from_mp(p->z, 9, pZ);
        p->infinity = sp_521_iszero_9(p->x) &
                      sp_521_iszero_9(p->y);

            sp_521_proj_point_dbl_9(p, p, tmp);
    }

    if (err == MP_OKAY) {
        err = sp_521_to_mp(p->x, rX);
    }
    if (err == MP_OKAY) {
        err = sp_521_to_mp(p->y, rY);
    }
    if (err == MP_OKAY) {
        err = sp_521_to_mp(p->z, rZ);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (tmp != NULL)
        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
    if (p != NULL)
        XFREE(p, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

/* Map a projective EC point to affine in place.
 * pZ will be one.
 *
 * pX   EC point's X ordinate.
 * pY   EC point's Y ordinate.
 * pZ   EC point's Z ordinate.
 * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
 */
int sp_ecc_map_521(mp_int* pX, mp_int* pY, mp_int* pZ)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* tmp = NULL;
    sp_point_521* p = NULL;
#else
    sp_digit tmp[2 * 9 * 5];
    sp_point_521 p[1];
#endif
    int err = MP_OKAY;


#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        p = (sp_point_521*)XMALLOC(sizeof(sp_point_521), NULL,
                                         DYNAMIC_TYPE_ECC);
        if (p == NULL)
            err = MEMORY_E;
    }
    if (err == MP_OKAY) {
        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 9 * 5, NULL,
                                 DYNAMIC_TYPE_ECC);
        if (tmp == NULL)
            err = MEMORY_E;
    }
#endif
    if (err == MP_OKAY) {
        sp_521_from_mp(p->x, 9, pX);
        sp_521_from_mp(p->y, 9, pY);
        sp_521_from_mp(p->z, 9, pZ);
        p->infinity = sp_521_iszero_9(p->x) &
                      sp_521_iszero_9(p->y);

            sp_521_map_9(p, p, tmp);
    }

    if (err == MP_OKAY) {
        err = sp_521_to_mp(p->x, pX);
    }
    if (err == MP_OKAY) {
        err = sp_521_to_mp(p->y, pY);
    }
    if (err == MP_OKAY) {
        err = sp_521_to_mp(p->z, pZ);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (tmp != NULL)
        XFREE(tmp, NULL, DYNAMIC_TYPE_ECC);
    if (p != NULL)
        XFREE(p, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}
#endif /* WOLFSSL_PUBLIC_ECC_ADD_DBL */
#ifdef HAVE_COMP_KEY
/* Square root power for the P521 curve. */
static const uint64_t p521_sqrt_power[9] = {
    0x0000000000000000,0x0000000000000000,0x0000000000000000,
    0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000,0x0000000000000000,
    0x0000000000000080
};

/* Find the square root of a number mod the prime of the curve.
 *
 * y  The number to operate on and the result.
 * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
 */
static int sp_521_mont_sqrt_9(sp_digit* y)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* t = NULL;
#else
    sp_digit t[2 * 9];
#endif
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 9, NULL, DYNAMIC_TYPE_ECC);
    if (t == NULL)
        err = MEMORY_E;
#endif

    if (err == MP_OKAY) {

        {
            int i;

            XMEMCPY(t, y, sizeof(sp_digit) * 9);
            for (i=518; i>=0; i--) {
                sp_521_mont_sqr_9(t, t, p521_mod, p521_mp_mod);
                if (p521_sqrt_power[i / 64] & ((sp_digit)1 << (i % 64)))
                    sp_521_mont_mul_9(t, t, y, p521_mod, p521_mp_mod);
            }
            XMEMCPY(y, t, sizeof(sp_digit) * 9);
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t != NULL)
        XFREE(t, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}


/* Uncompress the point given the X ordinate.
 *
 * xm    X ordinate.
 * odd   Whether the Y ordinate is odd.
 * ym    Calculated Y ordinate.
 * returns MEMORY_E if dynamic memory allocation fails and MP_OKAY otherwise.
 */
int sp_ecc_uncompress_521(mp_int* xm, int odd, mp_int* ym)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* x = NULL;
#else
    sp_digit x[4 * 9];
#endif
    sp_digit* y = NULL;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    x = (sp_digit*)XMALLOC(sizeof(sp_digit) * 4 * 9, NULL, DYNAMIC_TYPE_ECC);
    if (x == NULL)
        err = MEMORY_E;
#endif

    if (err == MP_OKAY) {
        y = x + 2 * 9;

        sp_521_from_mp(x, 9, xm);
        err = sp_521_mod_mul_norm_9(x, x, p521_mod);
    }
    if (err == MP_OKAY) {
        /* y = x^3 */
        {
            sp_521_mont_sqr_9(y, x, p521_mod, p521_mp_mod);
            sp_521_mont_mul_9(y, y, x, p521_mod, p521_mp_mod);
        }
        /* y = x^3 - 3x */
        sp_521_mont_sub_9(y, y, x, p521_mod);
        sp_521_mont_sub_9(y, y, x, p521_mod);
        sp_521_mont_sub_9(y, y, x, p521_mod);
        /* y = x^3 - 3x + b */
        err = sp_521_mod_mul_norm_9(x, p521_b, p521_mod);
    }
    if (err == MP_OKAY) {
        sp_521_mont_add_9(y, y, x, p521_mod);
        /* y = sqrt(x^3 - 3x + b) */
        err = sp_521_mont_sqrt_9(y);
    }
    if (err == MP_OKAY) {
        XMEMSET(y + 9, 0, 9U * sizeof(sp_digit));
        sp_521_mont_reduce_9(y, p521_mod, p521_mp_mod);
        if ((((word32)y[0] ^ (word32)odd) & 1U) != 0U) {
            sp_521_mont_sub_9(y, p521_mod, y, p521_mod);
        }

        err = sp_521_to_mp(y, ym);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (x != NULL)
        XFREE(x, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}
#endif
#endif /* WOLFSSL_SP_521 */
#ifdef WOLFCRYPT_HAVE_SAKKE
#ifdef WOLFSSL_SP_1024

/* Point structure to use. */
typedef struct sp_point_1024 {
    /* X ordinate of point. */
    sp_digit x[2 * 18];
    /* Y ordinate of point. */
    sp_digit y[2 * 18];
    /* Z ordinate of point. */
    sp_digit z[2 * 18];
    /* Indicates point is at infinity. */
    int infinity;
} sp_point_1024;

#ifndef WOLFSSL_SP_SMALL
/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_1024_mul_9(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    sp_int128 t0;
    sp_int128 t1;
    sp_digit t[9];

    t0 = ((sp_int128)a[ 0]) * b[ 0];
    t1 = ((sp_int128)a[ 0]) * b[ 1]
       + ((sp_int128)a[ 1]) * b[ 0];
    t[ 0] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_int128)a[ 0]) * b[ 2]
       + ((sp_int128)a[ 1]) * b[ 1]
       + ((sp_int128)a[ 2]) * b[ 0];
    t[ 1] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = ((sp_int128)a[ 0]) * b[ 3]
       + ((sp_int128)a[ 1]) * b[ 2]
       + ((sp_int128)a[ 2]) * b[ 1]
       + ((sp_int128)a[ 3]) * b[ 0];
    t[ 2] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_int128)a[ 0]) * b[ 4]
       + ((sp_int128)a[ 1]) * b[ 3]
       + ((sp_int128)a[ 2]) * b[ 2]
       + ((sp_int128)a[ 3]) * b[ 1]
       + ((sp_int128)a[ 4]) * b[ 0];
    t[ 3] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = ((sp_int128)a[ 0]) * b[ 5]
       + ((sp_int128)a[ 1]) * b[ 4]
       + ((sp_int128)a[ 2]) * b[ 3]
       + ((sp_int128)a[ 3]) * b[ 2]
       + ((sp_int128)a[ 4]) * b[ 1]
       + ((sp_int128)a[ 5]) * b[ 0];
    t[ 4] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_int128)a[ 0]) * b[ 6]
       + ((sp_int128)a[ 1]) * b[ 5]
       + ((sp_int128)a[ 2]) * b[ 4]
       + ((sp_int128)a[ 3]) * b[ 3]
       + ((sp_int128)a[ 4]) * b[ 2]
       + ((sp_int128)a[ 5]) * b[ 1]
       + ((sp_int128)a[ 6]) * b[ 0];
    t[ 5] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = ((sp_int128)a[ 0]) * b[ 7]
       + ((sp_int128)a[ 1]) * b[ 6]
       + ((sp_int128)a[ 2]) * b[ 5]
       + ((sp_int128)a[ 3]) * b[ 4]
       + ((sp_int128)a[ 4]) * b[ 3]
       + ((sp_int128)a[ 5]) * b[ 2]
       + ((sp_int128)a[ 6]) * b[ 1]
       + ((sp_int128)a[ 7]) * b[ 0];
    t[ 6] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_int128)a[ 0]) * b[ 8]
       + ((sp_int128)a[ 1]) * b[ 7]
       + ((sp_int128)a[ 2]) * b[ 6]
       + ((sp_int128)a[ 3]) * b[ 5]
       + ((sp_int128)a[ 4]) * b[ 4]
       + ((sp_int128)a[ 5]) * b[ 3]
       + ((sp_int128)a[ 6]) * b[ 2]
       + ((sp_int128)a[ 7]) * b[ 1]
       + ((sp_int128)a[ 8]) * b[ 0];
    t[ 7] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = ((sp_int128)a[ 1]) * b[ 8]
       + ((sp_int128)a[ 2]) * b[ 7]
       + ((sp_int128)a[ 3]) * b[ 6]
       + ((sp_int128)a[ 4]) * b[ 5]
       + ((sp_int128)a[ 5]) * b[ 4]
       + ((sp_int128)a[ 6]) * b[ 3]
       + ((sp_int128)a[ 7]) * b[ 2]
       + ((sp_int128)a[ 8]) * b[ 1];
    t[ 8] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_int128)a[ 2]) * b[ 8]
       + ((sp_int128)a[ 3]) * b[ 7]
       + ((sp_int128)a[ 4]) * b[ 6]
       + ((sp_int128)a[ 5]) * b[ 5]
       + ((sp_int128)a[ 6]) * b[ 4]
       + ((sp_int128)a[ 7]) * b[ 3]
       + ((sp_int128)a[ 8]) * b[ 2];
    r[ 9] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = ((sp_int128)a[ 3]) * b[ 8]
       + ((sp_int128)a[ 4]) * b[ 7]
       + ((sp_int128)a[ 5]) * b[ 6]
       + ((sp_int128)a[ 6]) * b[ 5]
       + ((sp_int128)a[ 7]) * b[ 4]
       + ((sp_int128)a[ 8]) * b[ 3];
    r[10] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_int128)a[ 4]) * b[ 8]
       + ((sp_int128)a[ 5]) * b[ 7]
       + ((sp_int128)a[ 6]) * b[ 6]
       + ((sp_int128)a[ 7]) * b[ 5]
       + ((sp_int128)a[ 8]) * b[ 4];
    r[11] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = ((sp_int128)a[ 5]) * b[ 8]
       + ((sp_int128)a[ 6]) * b[ 7]
       + ((sp_int128)a[ 7]) * b[ 6]
       + ((sp_int128)a[ 8]) * b[ 5];
    r[12] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_int128)a[ 6]) * b[ 8]
       + ((sp_int128)a[ 7]) * b[ 7]
       + ((sp_int128)a[ 8]) * b[ 6];
    r[13] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = ((sp_int128)a[ 7]) * b[ 8]
       + ((sp_int128)a[ 8]) * b[ 7];
    r[14] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = ((sp_int128)a[ 8]) * b[ 8];
    r[15] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    r[16] = t0 & 0x1ffffffffffffffL;
    r[17] = (sp_digit)(t0 >> 57);
    XMEMCPY(r, t, sizeof(t));
}

/* Square a and put result in r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_1024_sqr_9(sp_digit* r, const sp_digit* a)
{
    sp_int128 t0;
    sp_int128 t1;
    sp_digit t[9];

    t0 =  ((sp_int128)a[ 0]) * a[ 0];
    t1 = (((sp_int128)a[ 0]) * a[ 1]) * 2;
    t[ 0] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = (((sp_int128)a[ 0]) * a[ 2]) * 2
       +  ((sp_int128)a[ 1]) * a[ 1];
    t[ 1] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = (((sp_int128)a[ 0]) * a[ 3]
       +  ((sp_int128)a[ 1]) * a[ 2]) * 2;
    t[ 2] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = (((sp_int128)a[ 0]) * a[ 4]
       +  ((sp_int128)a[ 1]) * a[ 3]) * 2
       +  ((sp_int128)a[ 2]) * a[ 2];
    t[ 3] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = (((sp_int128)a[ 0]) * a[ 5]
       +  ((sp_int128)a[ 1]) * a[ 4]
       +  ((sp_int128)a[ 2]) * a[ 3]) * 2;
    t[ 4] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = (((sp_int128)a[ 0]) * a[ 6]
       +  ((sp_int128)a[ 1]) * a[ 5]
       +  ((sp_int128)a[ 2]) * a[ 4]) * 2
       +  ((sp_int128)a[ 3]) * a[ 3];
    t[ 5] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = (((sp_int128)a[ 0]) * a[ 7]
       +  ((sp_int128)a[ 1]) * a[ 6]
       +  ((sp_int128)a[ 2]) * a[ 5]
       +  ((sp_int128)a[ 3]) * a[ 4]) * 2;
    t[ 6] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = (((sp_int128)a[ 0]) * a[ 8]
       +  ((sp_int128)a[ 1]) * a[ 7]
       +  ((sp_int128)a[ 2]) * a[ 6]
       +  ((sp_int128)a[ 3]) * a[ 5]) * 2
       +  ((sp_int128)a[ 4]) * a[ 4];
    t[ 7] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = (((sp_int128)a[ 1]) * a[ 8]
       +  ((sp_int128)a[ 2]) * a[ 7]
       +  ((sp_int128)a[ 3]) * a[ 6]
       +  ((sp_int128)a[ 4]) * a[ 5]) * 2;
    t[ 8] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = (((sp_int128)a[ 2]) * a[ 8]
       +  ((sp_int128)a[ 3]) * a[ 7]
       +  ((sp_int128)a[ 4]) * a[ 6]) * 2
       +  ((sp_int128)a[ 5]) * a[ 5];
    r[ 9] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = (((sp_int128)a[ 3]) * a[ 8]
       +  ((sp_int128)a[ 4]) * a[ 7]
       +  ((sp_int128)a[ 5]) * a[ 6]) * 2;
    r[10] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = (((sp_int128)a[ 4]) * a[ 8]
       +  ((sp_int128)a[ 5]) * a[ 7]) * 2
       +  ((sp_int128)a[ 6]) * a[ 6];
    r[11] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = (((sp_int128)a[ 5]) * a[ 8]
       +  ((sp_int128)a[ 6]) * a[ 7]) * 2;
    r[12] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 = (((sp_int128)a[ 6]) * a[ 8]) * 2
       +  ((sp_int128)a[ 7]) * a[ 7];
    r[13] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    t1 = (((sp_int128)a[ 7]) * a[ 8]) * 2;
    r[14] = t0 & 0x1ffffffffffffffL; t1 += t0 >> 57;
    t0 =  ((sp_int128)a[ 8]) * a[ 8];
    r[15] = t1 & 0x1ffffffffffffffL; t0 += t1 >> 57;
    r[16] = t0 & 0x1ffffffffffffffL;
    r[17] = (sp_digit)(t0 >> 57);
    XMEMCPY(r, t, sizeof(t));
}

/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_1024_add_9(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    r[ 0] = a[ 0] + b[ 0];
    r[ 1] = a[ 1] + b[ 1];
    r[ 2] = a[ 2] + b[ 2];
    r[ 3] = a[ 3] + b[ 3];
    r[ 4] = a[ 4] + b[ 4];
    r[ 5] = a[ 5] + b[ 5];
    r[ 6] = a[ 6] + b[ 6];
    r[ 7] = a[ 7] + b[ 7];
    r[ 8] = a[ 8] + b[ 8];

    return 0;
}

/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_1024_add_18(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 16; i += 8) {
        r[i + 0] = a[i + 0] + b[i + 0];
        r[i + 1] = a[i + 1] + b[i + 1];
        r[i + 2] = a[i + 2] + b[i + 2];
        r[i + 3] = a[i + 3] + b[i + 3];
        r[i + 4] = a[i + 4] + b[i + 4];
        r[i + 5] = a[i + 5] + b[i + 5];
        r[i + 6] = a[i + 6] + b[i + 6];
        r[i + 7] = a[i + 7] + b[i + 7];
    }
    r[16] = a[16] + b[16];
    r[17] = a[17] + b[17];

    return 0;
}

/* Sub b from a into r. (r = a - b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_1024_sub_18(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 16; i += 8) {
        r[i + 0] = a[i + 0] - b[i + 0];
        r[i + 1] = a[i + 1] - b[i + 1];
        r[i + 2] = a[i + 2] - b[i + 2];
        r[i + 3] = a[i + 3] - b[i + 3];
        r[i + 4] = a[i + 4] - b[i + 4];
        r[i + 5] = a[i + 5] - b[i + 5];
        r[i + 6] = a[i + 6] - b[i + 6];
        r[i + 7] = a[i + 7] - b[i + 7];
    }
    r[16] = a[16] - b[16];
    r[17] = a[17] - b[17];

    return 0;
}

/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_1024_mul_18(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    sp_digit* z0 = r;
    sp_digit z1[18];
    sp_digit* a1 = z1;
    sp_digit b1[9];
    sp_digit* z2 = r + 18;
    (void)sp_1024_add_9(a1, a, &a[9]);
    (void)sp_1024_add_9(b1, b, &b[9]);
    sp_1024_mul_9(z2, &a[9], &b[9]);
    sp_1024_mul_9(z0, a, b);
    sp_1024_mul_9(z1, a1, b1);
    (void)sp_1024_sub_18(z1, z1, z2);
    (void)sp_1024_sub_18(z1, z1, z0);
    (void)sp_1024_add_18(r + 9, r + 9, z1);
}

/* Square a and put result in r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_1024_sqr_18(sp_digit* r, const sp_digit* a)
{
    sp_digit* z0 = r;
    sp_digit z1[18];
    sp_digit* a1 = z1;
    sp_digit* z2 = r + 18;
    (void)sp_1024_add_9(a1, a, &a[9]);
    sp_1024_sqr_9(z2, &a[9]);
    sp_1024_sqr_9(z0, a);
    sp_1024_sqr_9(z1, a1);
    (void)sp_1024_sub_18(z1, z1, z2);
    (void)sp_1024_sub_18(z1, z1, z0);
    (void)sp_1024_add_18(r + 9, r + 9, z1);
}

#else
/* Multiply a and b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static void sp_1024_mul_18(sp_digit* r, const sp_digit* a,
    const sp_digit* b)
{
    int i;
    int imax;
    int k;
    sp_uint128 c;
    sp_uint128 lo;

    c = ((sp_uint128)a[17]) * b[17];
    r[35] = (sp_digit)(c >> 57);
    c &= 0x1ffffffffffffffL;
    for (k = 33; k >= 0; k--) {
        if (k >= 18) {
            i = k - 17;
            imax = 17;
        }
        else {
            i = 0;
            imax = k;
        }
        lo = 0;
        for (; i <= imax; i++) {
            lo += ((sp_uint128)a[i]) * b[k - i];
        }
        c += lo >> 57;
        r[k + 2] += (sp_digit)(c >> 57);
        r[k + 1]  = (sp_digit)(c & 0x1ffffffffffffffL);
        c = lo & 0x1ffffffffffffffL;
    }
    r[0] = (sp_digit)c;
}

/* Square a and put result in r. (r = a * a)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 */
SP_NOINLINE static void sp_1024_sqr_18(sp_digit* r, const sp_digit* a)
{
    int i;
    int imax;
    int k;
    sp_uint128 c;
    sp_uint128 t;

    c = ((sp_uint128)a[17]) * a[17];
    r[35] = (sp_digit)(c >> 57);
    c = (c & 0x1ffffffffffffffL) << 57;
    for (k = 33; k >= 0; k--) {
        i = (k + 1) / 2;
        if ((k & 1) == 0) {
           c += ((sp_uint128)a[i]) * a[i];
           i++;
        }
        if (k < 17) {
            imax = k;
        }
        else {
            imax = 17;
        }
        t = 0;
        for (; i <= imax; i++) {
            t += ((sp_uint128)a[i]) * a[k - i];
        }
        c += t * 2;

        r[k + 2] += (sp_digit) (c >> 114);
        r[k + 1]  = (sp_digit)((c >> 57) & 0x1ffffffffffffffL);
        c = (c & 0x1ffffffffffffffL) << 57;
    }
    r[0] = (sp_digit)(c >> 57);
}

#endif /* !WOLFSSL_SP_SMALL */
/* The modulus (prime) of the curve P1024. */
static const sp_digit p1024_mod[18] = {
    0x06d807afea85febL,0x0ef88563d6743b3L,0x008e2615f6c2031L,0x1ead2e3e3ff9c7dL,
    0x1c3c09aa9f94d6aL,0x02954153e79e290L,0x07386dabfd2a0c6L,0x1a8a2558b9acad0L,
    0x0e26c6487326b4cL,0x0b693fa53335368L,0x06ce7fdf222864dL,0x01aa634b3961cf2L,
    0x07e2fc0f1b22873L,0x19f00d177a05559L,0x0d20986fa6b8d62L,0x0caf482d819c339L,
    0x1da65c61198dad0L,0x04cbd5d8f852b1fL
};
/* The Montgomery normalizer for modulus of the curve P1024. */
static const sp_digit p1024_norm_mod[18] = {
    0x1927f850157a015L,0x11077a9c298bc4cL,0x1f71d9ea093dfceL,0x0152d1c1c006382L,
    0x03c3f655606b295L,0x1d6abeac1861d6fL,0x18c7925402d5f39L,0x0575daa7465352fL,
    0x11d939b78cd94b3L,0x1496c05acccac97L,0x19318020ddd79b2L,0x1e559cb4c69e30dL,
    0x181d03f0e4dd78cL,0x060ff2e885faaa6L,0x12df6790594729dL,0x1350b7d27e63cc6L,
    0x0259a39ee67252fL,0x03342a2707ad4e0L
};
/* The Montgomery multiplier for modulus of the curve P1024. */
static sp_digit p1024_mp_mod = 0x10420077c8f2f3d;
#if defined(WOLFSSL_SP_SMALL) || defined(HAVE_ECC_CHECK_KEY)
/* The order of the curve P1024. */
static const sp_digit p1024_order[18] = {
    0x19b601ebfaa17fbL,0x0bbe2158f59d0ecL,0x082389857db080cL,0x17ab4b8f8ffe71fL,
    0x070f026aa7e535aL,0x10a55054f9e78a4L,0x01ce1b6aff4a831L,0x06a289562e6b2b4L,
    0x0389b1921cc9ad3L,0x0ada4fe94ccd4daL,0x11b39ff7c88a193L,0x186a98d2ce5873cL,
    0x09f8bf03c6c8a1cL,0x167c0345de81556L,0x0b48261be9ae358L,0x032bd20b60670ceL,
    0x1f69971846636b4L,0x0132f5763e14ac7L
};
#endif
/* The base point of curve P1024. */
static const sp_point_1024 p1024_base = {
    /* X ordinate */
    {
        0x00dc8abeae63895L,0x023624b3f04bcc4L,0x0e96d8fdcfb203bL,
        0x1900e51b0fdd22cL,0x1a66910dd5cfb4cL,0x106f3a53e0a8a6dL,
        0x1cb869c0b0ce5e9L,0x19666f90ca916e5L,0x09760af765dd5bcL,
        0x0c5ecf3a0367448L,0x17c8b36e77e955cL,0x172061613c2087aL,
        0x00f6ce2308ab10dL,0x1b7fbe5fdaf6db6L,0x1b1a71a62cbc812L,
        0x16a5456345fac15L,0x1ad0a7990053ed9L,0x029fe04f7199614L,
        (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0,
        (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0,
        (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0,
        (sp_digit)0, (sp_digit)0, (sp_digit)0
    },
    /* Y ordinate */
    {
        0x1573fd71bef16d7L,0x0dab83533ee6f3aL,0x156b56ed18dab6eL,
        0x0fd3973353017b5L,0x05a4d5f213515adL,0x0554c4a496cbcfeL,
        0x0bf82b1bc7a0059L,0x0d995ad2d6b6ecaL,0x170dae117ad547cL,
        0x0b67f8654f0195cL,0x06333e68502cb90L,0x0bcbe1bcabecd6bL,
        0x14654ec2b9e7f7fL,0x0f0a08bc7af534fL,0x0641a58f5de3608L,
        0x1426ba7d0402c05L,0x1f1f9f1f0533634L,0x0054124831fb004L,
        (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0,
        (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0,
        (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0,
        (sp_digit)0, (sp_digit)0, (sp_digit)0
    },
    /* Z ordinate */
    {
        0x000000000000001L,0x000000000000000L,0x000000000000000L,
        0x000000000000000L,0x000000000000000L,0x000000000000000L,
        0x000000000000000L,0x000000000000000L,0x000000000000000L,
        0x000000000000000L,0x000000000000000L,0x000000000000000L,
        0x000000000000000L,0x000000000000000L,0x000000000000000L,
        0x000000000000000L,0x000000000000000L,0x000000000000000L,
        (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0,
        (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0,
        (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0, (sp_digit)0,
        (sp_digit)0, (sp_digit)0, (sp_digit)0
    },
    /* infinity */
    0
};

/* Normalize the values in each word to 57 bits.
 *
 * a  Array of sp_digit to normalize.
 */
static void sp_1024_norm_18(sp_digit* a)
{
#ifdef WOLFSSL_SP_SMALL
    int i;
    for (i = 0; i < 17; i++) {
        a[i+1] += a[i] >> 57;
        a[i] &= 0x1ffffffffffffffL;
    }
#else
    int i;
    for (i = 0; i < 16; i += 8) {
        a[i+1] += a[i+0] >> 57; a[i+0] &= 0x1ffffffffffffffL;
        a[i+2] += a[i+1] >> 57; a[i+1] &= 0x1ffffffffffffffL;
        a[i+3] += a[i+2] >> 57; a[i+2] &= 0x1ffffffffffffffL;
        a[i+4] += a[i+3] >> 57; a[i+3] &= 0x1ffffffffffffffL;
        a[i+5] += a[i+4] >> 57; a[i+4] &= 0x1ffffffffffffffL;
        a[i+6] += a[i+5] >> 57; a[i+5] &= 0x1ffffffffffffffL;
        a[i+7] += a[i+6] >> 57; a[i+6] &= 0x1ffffffffffffffL;
        a[i+8] += a[i+7] >> 57; a[i+7] &= 0x1ffffffffffffffL;
    }
    a[17] += a[16] >> 57; a[16] &= 0x1ffffffffffffffL;
#endif /* WOLFSSL_SP_SMALL */
}

/* Multiply a by scalar b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_1024_mul_d_18(sp_digit* r, const sp_digit* a,
    sp_digit b)
{
#ifdef WOLFSSL_SP_SMALL
    sp_int128 tb = b;
    sp_int128 t = 0;
    int i;

    for (i = 0; i < 18; i++) {
        t += tb * a[i];
        r[i] = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
    }
    r[18] = (sp_digit)t;
#else
    sp_int128 tb = b;
    sp_int128 t = 0;
    sp_digit t2;
    sp_int128 p[4];
    int i;

    for (i = 0; i < 16; i += 4) {
        p[0] = tb * a[i + 0];
        p[1] = tb * a[i + 1];
        p[2] = tb * a[i + 2];
        p[3] = tb * a[i + 3];
        t += p[0];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 0] = (sp_digit)t2;
        t += p[1];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 1] = (sp_digit)t2;
        t += p[2];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 2] = (sp_digit)t2;
        t += p[3];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 3] = (sp_digit)t2;
    }
    t += tb * a[16];
    r[16] = (sp_digit)(t & 0x1ffffffffffffffL);
    t >>= 57;
    t += tb * a[17];
    r[17] = (sp_digit)(t & 0x1ffffffffffffffL);
    t >>= 57;
    r[18] = (sp_digit)(t & 0x1ffffffffffffffL);
#endif /* WOLFSSL_SP_SMALL */
}

/* Multiply a by scalar b into r. (r = a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_1024_mul_d_36(sp_digit* r, const sp_digit* a,
    sp_digit b)
{
#ifdef WOLFSSL_SP_SMALL
    sp_int128 tb = b;
    sp_int128 t = 0;
    int i;

    for (i = 0; i < 36; i++) {
        t += tb * a[i];
        r[i] = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
    }
    r[36] = (sp_digit)t;
#else
    sp_int128 tb = b;
    sp_int128 t = 0;
    sp_digit t2;
    sp_int128 p[4];
    int i;

    for (i = 0; i < 36; i += 4) {
        p[0] = tb * a[i + 0];
        p[1] = tb * a[i + 1];
        p[2] = tb * a[i + 2];
        p[3] = tb * a[i + 3];
        t += p[0];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 0] = (sp_digit)t2;
        t += p[1];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 1] = (sp_digit)t2;
        t += p[2];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 2] = (sp_digit)t2;
        t += p[3];
        t2 = (sp_digit)(t & 0x1ffffffffffffffL);
        t >>= 57;
        r[i + 3] = (sp_digit)t2;
    }
    r[36] = (sp_digit)(t & 0x1ffffffffffffffL);
#endif /* WOLFSSL_SP_SMALL */
}

#ifdef WOLFSSL_SP_SMALL
/* Conditionally add a and b using the mask m.
 * m is -1 to add and 0 when not.
 *
 * r  A single precision number representing conditional add result.
 * a  A single precision number to add with.
 * b  A single precision number to add.
 * m  Mask value to apply.
 */
static void sp_1024_cond_add_18(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 18; i++) {
        r[i] = a[i] + (b[i] & m);
    }
}
#endif /* WOLFSSL_SP_SMALL */

#ifndef WOLFSSL_SP_SMALL
/* Conditionally add a and b using the mask m.
 * m is -1 to add and 0 when not.
 *
 * r  A single precision number representing conditional add result.
 * a  A single precision number to add with.
 * b  A single precision number to add.
 * m  Mask value to apply.
 */
static void sp_1024_cond_add_18(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
    int i;

    for (i = 0; i < 16; i += 8) {
        r[i + 0] = a[i + 0] + (b[i + 0] & m);
        r[i + 1] = a[i + 1] + (b[i + 1] & m);
        r[i + 2] = a[i + 2] + (b[i + 2] & m);
        r[i + 3] = a[i + 3] + (b[i + 3] & m);
        r[i + 4] = a[i + 4] + (b[i + 4] & m);
        r[i + 5] = a[i + 5] + (b[i + 5] & m);
        r[i + 6] = a[i + 6] + (b[i + 6] & m);
        r[i + 7] = a[i + 7] + (b[i + 7] & m);
    }
    r[16] = a[16] + (b[16] & m);
    r[17] = a[17] + (b[17] & m);
}
#endif /* !WOLFSSL_SP_SMALL */

#ifdef WOLFSSL_SP_SMALL
/* Sub b from a into r. (r = a - b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_1024_sub_18(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 18; i++) {
        r[i] = a[i] - b[i];
    }

    return 0;
}

#endif
#ifdef WOLFSSL_SP_SMALL
/* Add b to a into r. (r = a + b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A single precision integer.
 */
SP_NOINLINE static int sp_1024_add_18(sp_digit* r, const sp_digit* a,
        const sp_digit* b)
{
    int i;

    for (i = 0; i < 18; i++) {
        r[i] = a[i] + b[i];
    }

    return 0;
}
#endif /* WOLFSSL_SP_SMALL */

SP_NOINLINE static void sp_1024_rshift_18(sp_digit* r, const sp_digit* a,
        byte n)
{
    int i;

#ifdef WOLFSSL_SP_SMALL
    for (i=0; i<17; i++) {
        r[i] = ((a[i] >> n) | (a[i + 1] << (57 - n))) & 0x1ffffffffffffffL;
    }
#else
    for (i=0; i<16; i += 8) {
        r[i+0] = (a[i+0] >> n) | ((a[i+1] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+1] = (a[i+1] >> n) | ((a[i+2] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+2] = (a[i+2] >> n) | ((a[i+3] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+3] = (a[i+3] >> n) | ((a[i+4] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+4] = (a[i+4] >> n) | ((a[i+5] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+5] = (a[i+5] >> n) | ((a[i+6] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+6] = (a[i+6] >> n) | ((a[i+7] << (57 - n)) & 0x1ffffffffffffffL);
        r[i+7] = (a[i+7] >> n) | ((a[i+8] << (57 - n)) & 0x1ffffffffffffffL);
    }
    r[16] = (a[16] >> n) | ((a[17] << (57 - n)) & 0x1ffffffffffffffL);
#endif /* WOLFSSL_SP_SMALL */
    r[17] = a[17] >> n;
}

static WC_INLINE sp_digit sp_1024_div_word_18(sp_digit d1, sp_digit d0,
    sp_digit div)
{
#ifdef SP_USE_DIVTI3
    sp_int128 d = ((sp_int128)d1 << 57) + d0;

    return d / div;
#elif defined(__x86_64__) || defined(__i386__)
    sp_int128 d = ((sp_int128)d1 << 57) + d0;
    sp_uint64 lo = (sp_uint64)d;
    sp_digit hi = (sp_digit)(d >> 64);

    __asm__ __volatile__ (
        "idiv %2"
        : "+a" (lo)
        : "d" (hi), "r" (div)
        : "cc"
    );

    return (sp_digit)lo;
#elif !defined(__aarch64__) &&  !defined(SP_DIV_WORD_USE_DIV)
    sp_int128 d = ((sp_int128)d1 << 57) + d0;
    sp_digit dv = (div >> 1) + 1;
    sp_digit t1 = (sp_digit)(d >> 57);
    sp_digit t0 = (sp_digit)(d & 0x1ffffffffffffffL);
    sp_digit t2;
    sp_digit sign;
    sp_digit r;
    int i;
    sp_int128 m;

    r = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
    t1 -= dv & (0 - r);
    for (i = 55; i >= 1; i--) {
        t1 += t1 + (((sp_uint64)t0 >> 56) & 1);
        t0 <<= 1;
        t2 = (sp_digit)(((sp_uint64)(dv - t1)) >> 63);
        r += r + t2;
        t1 -= dv & (0 - t2);
        t1 += t2;
    }
    r += r + 1;

    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 57);
    m = d - ((sp_int128)r * div);
    r += (sp_digit)(m >> 114) - (sp_digit)(d >> 114);

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;

    m = d - ((sp_int128)r * div);
    sign = (sp_digit)(0 - ((sp_uint64)m >> 63)) * 2 + 1;
    m *= sign;
    t2 = (sp_digit)(((sp_uint64)(div - m)) >> 63);
    r += sign * t2;
   return r;
#else
    sp_int128 d = ((sp_int128)d1 << 57) + d0;
    sp_digit r = 0;
    sp_digit t;
    sp_digit dv = (div >> 26) + 1;

    t = (sp_digit)(d >> 52);
    t = (t / dv) << 26;
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)(d >> 21);
    t = t / (dv << 5);
    r += t;
    d -= (sp_int128)t * div;
    t = (sp_digit)d;
    t = t / div;
    r += t;
    d -= (sp_int128)t * div;
    return r;
#endif
}
static WC_INLINE sp_digit sp_1024_word_div_word_18(sp_digit d, sp_digit div)
{
#if defined(__x86_64__) || defined(__i386__) || defined(__aarch64__) || \
    defined(SP_DIV_WORD_USE_DIV)
    return d / div;
#else
    return (sp_digit)((sp_uint64)(div - d) >> 63);
#endif
}
/* Divide d in a and put remainder into r (m*d + r = a)
 * m is not calculated as it is not needed at this time.
 *
 * Full implementation.
 *
 * a  Number to be divided.
 * d  Number to divide with.
 * m  Multiplier result.
 * r  Remainder from the division.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_1024_div_18(const sp_digit* a, const sp_digit* d,
        const sp_digit* m, sp_digit* r)
{
    int i;
#ifndef WOLFSSL_SP_DIV_64
#endif
    sp_digit dv;
    sp_digit r1;
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* t1 = NULL;
#else
    sp_digit t1[4 * 18 + 3];
#endif
    sp_digit* t2 = NULL;
    sp_digit* sd = NULL;
    int err = MP_OKAY;

    (void)m;

#ifdef WOLFSSL_SP_SMALL_STACK
    t1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * (4 * 18 + 3), NULL,
                                                       DYNAMIC_TYPE_TMP_BUFFER);
    if (t1 == NULL)
        err = MEMORY_E;
#endif

    (void)m;

    if (err == MP_OKAY) {
        t2 = t1 + 36 + 1;
        sd = t2 + 18 + 1;

        sp_1024_mul_d_18(sd, d, (sp_digit)1 << 2);
        sp_1024_mul_d_36(t1, a, (sp_digit)1 << 2);
        dv = sd[17];
        t1[18 + 18] += t1[18 + 18 - 1] >> 57;
        t1[18 + 18 - 1] &= 0x1ffffffffffffffL;
        for (i=18; i>=0; i--) {
            r1 = sp_1024_div_word_18(t1[18 + i], t1[18 + i - 1], dv);

            sp_1024_mul_d_18(t2, sd, r1);
            (void)sp_1024_sub_18(&t1[i], &t1[i], t2);
            sp_1024_norm_18(&t1[i]);
            t1[18 + i] -= t2[18];
            t1[18 + i] += t1[18 + i - 1] >> 57;
            t1[18 + i - 1] &= 0x1ffffffffffffffL;
            r1 = sp_1024_div_word_18(-t1[18 + i], -t1[18 + i - 1], dv);
            r1 -= t1[18 + i];
            sp_1024_mul_d_18(t2, sd, r1);
            (void)sp_1024_add_18(&t1[i], &t1[i], t2);
            t1[18 + i] += t1[18 + i - 1] >> 57;
            t1[18 + i - 1] &= 0x1ffffffffffffffL;
        }
        t1[18 - 1] += t1[18 - 2] >> 57;
        t1[18 - 2] &= 0x1ffffffffffffffL;
        r1 = sp_1024_word_div_word_18(t1[18 - 1], dv);

        sp_1024_mul_d_18(t2, sd, r1);
        sp_1024_sub_18(t1, t1, t2);
        XMEMCPY(r, t1, sizeof(*r) * 36U);
        for (i=0; i<17; i++) {
            r[i+1] += r[i] >> 57;
            r[i] &= 0x1ffffffffffffffL;
        }
        sp_1024_cond_add_18(r, r, sd, r[17] >> 63);

        sp_1024_norm_18(r);
        sp_1024_rshift_18(r, r, 2);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t1 != NULL)
        XFREE(t1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif

    return err;
}

/* Reduce a modulo m into r. (r = a mod m)
 *
 * r  A single precision number that is the reduced result.
 * a  A single precision number that is to be reduced.
 * m  A single precision number that is the modulus to reduce with.
 * returns MEMORY_E when unable to allocate memory and MP_OKAY otherwise.
 */
static int sp_1024_mod_18(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    return sp_1024_div_18(a, m, NULL, r);
}

/* Multiply a number by Montgomery normalizer mod modulus (prime).
 *
 * r  The resulting Montgomery form number.
 * a  The number to convert.
 * m  The modulus (prime).
 * returns MEMORY_E when memory allocation fails and MP_OKAY otherwise.
 */
static int sp_1024_mod_mul_norm_18(sp_digit* r, const sp_digit* a,
        const sp_digit* m)
{
    sp_1024_mul_18(r, a, p1024_norm_mod);
    return sp_1024_mod_18(r, r, m);
}


#ifdef WOLFCRYPT_HAVE_SAKKE
/* Create a new point.
 *
 * heap  [in]   Buffer to allocate dynamic memory from.
 * sp    [in]   Data for point - only if not allocating.
 * p     [out]  New point.
 * returns MEMORY_E when dynamic memory allocation fails and 0 otherwise.
 */
static int sp_1024_point_new_ex_18(void* heap, sp_point_1024* sp,
    sp_point_1024** p)
{
    int ret = MP_OKAY;
    (void)heap;
#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
    (void)sp;
    *p = (sp_point_1024*)XMALLOC(sizeof(sp_point_1024), heap, DYNAMIC_TYPE_ECC);
#else
    *p = sp;
#endif
    if (*p == NULL) {
        ret = MEMORY_E;
    }
    return ret;
}

#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
/* Allocate memory for point and return error. */
#define sp_1024_point_new_18(heap, sp, p) sp_1024_point_new_ex_18((heap), NULL, &(p))
#else
/* Set pointer to data and return no error. */
#define sp_1024_point_new_18(heap, sp, p) sp_1024_point_new_ex_18((heap), &(sp), &(p))
#endif
#endif /* WOLFCRYPT_HAVE_SAKKE */
#ifdef WOLFCRYPT_HAVE_SAKKE
/* Free the point.
 *
 * p      [in,out]  Point to free.
 * clear  [in]      Indicates whether to zeroize point.
 * heap   [in]      Buffer from which dynamic memory was allocate from.
 */
static void sp_1024_point_free_18(sp_point_1024* p, int clear, void* heap)
{
#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
/* If valid pointer then clear point data if requested and free data. */
    if (p != NULL) {
        if (clear != 0) {
            XMEMSET(p, 0, sizeof(*p));
        }
        XFREE(p, heap, DYNAMIC_TYPE_ECC);
    }
#else
/* Clear point data if requested. */
    if ((p != NULL) && (clear != 0)) {
        XMEMSET(p, 0, sizeof(*p));
    }
#endif
    (void)heap;
}
#endif /* WOLFCRYPT_HAVE_SAKKE */

/* Convert an mp_int to an array of sp_digit.
 *
 * r  A single precision integer.
 * size  Maximum number of bytes to convert
 * a  A multi-precision integer.
 */
static void sp_1024_from_mp(sp_digit* r, int size, const mp_int* a)
{
#if DIGIT_BIT == 57
    int i;
    sp_digit j = (sp_digit)0 - (sp_digit)a->used;
    int o = 0;

    for (i = 0; i < size; i++) {
        sp_digit mask = (sp_digit)0 - (j >> 56);
        r[i] = a->dp[o] & mask;
        j++;
        o += (int)(j >> 56);
    }
#elif DIGIT_BIT > 57
    unsigned int i;
    int j = 0;
    word32 s = 0;

    r[0] = 0;
    for (i = 0; i < (unsigned int)a->used && j < size; i++) {
        r[j] |= ((sp_digit)a->dp[i] << s);
        r[j] &= 0x1ffffffffffffffL;
        s = 57U - s;
        if (j + 1 >= size) {
            break;
        }
        /* lint allow cast of mismatch word32 and mp_digit */
        r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
        while ((s + 57U) <= (word32)DIGIT_BIT) {
            s += 57U;
            r[j] &= 0x1ffffffffffffffL;
            if (j + 1 >= size) {
                break;
            }
            if (s < (word32)DIGIT_BIT) {
                /* lint allow cast of mismatch word32 and mp_digit */
                r[++j] = (sp_digit)(a->dp[i] >> s); /*lint !e9033*/
            }
            else {
                r[++j] = (sp_digit)0;
            }
        }
        s = (word32)DIGIT_BIT - s;
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
#else
    unsigned int i;
    int j = 0;
    int s = 0;

    r[0] = 0;
    for (i = 0; i < (unsigned int)a->used && j < size; i++) {
        r[j] |= ((sp_digit)a->dp[i]) << s;
        if (s + DIGIT_BIT >= 57) {
            r[j] &= 0x1ffffffffffffffL;
            if (j + 1 >= size) {
                break;
            }
            s = 57 - s;
            if (s == DIGIT_BIT) {
                r[++j] = 0;
                s = 0;
            }
            else {
                r[++j] = a->dp[i] >> s;
                s = DIGIT_BIT - s;
            }
        }
        else {
            s += DIGIT_BIT;
        }
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
#endif
}

/* Convert a point of type ecc_point to type sp_point_1024.
 *
 * p   Point of type sp_point_1024 (result).
 * pm  Point of type ecc_point.
 */
static void sp_1024_point_from_ecc_point_18(sp_point_1024* p,
        const ecc_point* pm)
{
    XMEMSET(p->x, 0, sizeof(p->x));
    XMEMSET(p->y, 0, sizeof(p->y));
    XMEMSET(p->z, 0, sizeof(p->z));
    sp_1024_from_mp(p->x, 18, pm->x);
    sp_1024_from_mp(p->y, 18, pm->y);
    sp_1024_from_mp(p->z, 18, pm->z);
    p->infinity = 0;
}

/* Convert an array of sp_digit to an mp_int.
 *
 * a  A single precision integer.
 * r  A multi-precision integer.
 */
static int sp_1024_to_mp(const sp_digit* a, mp_int* r)
{
    int err;

    err = mp_grow(r, (1024 + DIGIT_BIT - 1) / DIGIT_BIT);
    if (err == MP_OKAY) { /*lint !e774 case where err is always MP_OKAY*/
#if DIGIT_BIT == 57
        XMEMCPY(r->dp, a, sizeof(sp_digit) * 18);
        r->used = 18;
        mp_clamp(r);
#elif DIGIT_BIT < 57
        int i;
        int j = 0;
        int s = 0;

        r->dp[0] = 0;
        for (i = 0; i < 18; i++) {
            r->dp[j] |= (mp_digit)(a[i] << s);
            r->dp[j] &= ((sp_digit)1 << DIGIT_BIT) - 1;
            s = DIGIT_BIT - s;
            r->dp[++j] = (mp_digit)(a[i] >> s);
            while (s + DIGIT_BIT <= 57) {
                s += DIGIT_BIT;
                r->dp[j++] &= ((sp_digit)1 << DIGIT_BIT) - 1;
                if (s == SP_WORD_SIZE) {
                    r->dp[j] = 0;
                }
                else {
                    r->dp[j] = (mp_digit)(a[i] >> s);
                }
            }
            s = 57 - s;
        }
        r->used = (1024 + DIGIT_BIT - 1) / DIGIT_BIT;
        mp_clamp(r);
#else
        int i;
        int j = 0;
        int s = 0;

        r->dp[0] = 0;
        for (i = 0; i < 18; i++) {
            r->dp[j] |= ((mp_digit)a[i]) << s;
            if (s + 57 >= DIGIT_BIT) {
    #if DIGIT_BIT != 32 && DIGIT_BIT != 64
                r->dp[j] &= ((sp_digit)1 << DIGIT_BIT) - 1;
    #endif
                s = DIGIT_BIT - s;
                r->dp[++j] = a[i] >> s;
                s = 57 - s;
            }
            else {
                s += 57;
            }
        }
        r->used = (1024 + DIGIT_BIT - 1) / DIGIT_BIT;
        mp_clamp(r);
#endif
    }

    return err;
}

/* Convert a point of type sp_point_1024 to type ecc_point.
 *
 * p   Point of type sp_point_1024.
 * pm  Point of type ecc_point (result).
 * returns MEMORY_E when allocation of memory in ecc_point fails otherwise
 * MP_OKAY.
 */
static int sp_1024_point_to_ecc_point_18(const sp_point_1024* p, ecc_point* pm)
{
    int err;

    err = sp_1024_to_mp(p->x, pm->x);
    if (err == MP_OKAY) {
        err = sp_1024_to_mp(p->y, pm->y);
    }
    if (err == MP_OKAY) {
        err = sp_1024_to_mp(p->z, pm->z);
    }

    return err;
}

/* Compare a with b in constant time.
 *
 * a  A single precision integer.
 * b  A single precision integer.
 * return -ve, 0 or +ve if a is less than, equal to or greater than b
 * respectively.
 */
static sp_digit sp_1024_cmp_18(const sp_digit* a, const sp_digit* b)
{
    sp_digit r = 0;
#ifdef WOLFSSL_SP_SMALL
    int i;

    for (i=17; i>=0; i--) {
        r |= (a[i] - b[i]) & ~(((sp_digit)0 - r) >> 56);
    }
#else
    int i;

    r |= (a[17] - b[17]) & (0 - (sp_digit)1);
    r |= (a[16] - b[16]) & ~(((sp_digit)0 - r) >> 56);
    for (i = 8; i >= 0; i -= 8) {
        r |= (a[i + 7] - b[i + 7]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 6] - b[i + 6]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 5] - b[i + 5]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 4] - b[i + 4]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 3] - b[i + 3]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 2] - b[i + 2]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 1] - b[i + 1]) & ~(((sp_digit)0 - r) >> 56);
        r |= (a[i + 0] - b[i + 0]) & ~(((sp_digit)0 - r) >> 56);
    }
#endif /* WOLFSSL_SP_SMALL */

    return r;
}

/* Conditionally subtract b from a using the mask m.
 * m is -1 to subtract and 0 when not.
 *
 * r  A single precision number representing condition subtract result.
 * a  A single precision number to subtract from.
 * b  A single precision number to subtract.
 * m  Mask value to apply.
 */
static void sp_1024_cond_sub_18(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit m)
{
#ifdef WOLFSSL_SP_SMALL
    int i;

    for (i = 0; i < 18; i++) {
        r[i] = a[i] - (b[i] & m);
    }
#else
    int i;

    for (i = 0; i < 16; i += 8) {
        r[i + 0] = a[i + 0] - (b[i + 0] & m);
        r[i + 1] = a[i + 1] - (b[i + 1] & m);
        r[i + 2] = a[i + 2] - (b[i + 2] & m);
        r[i + 3] = a[i + 3] - (b[i + 3] & m);
        r[i + 4] = a[i + 4] - (b[i + 4] & m);
        r[i + 5] = a[i + 5] - (b[i + 5] & m);
        r[i + 6] = a[i + 6] - (b[i + 6] & m);
        r[i + 7] = a[i + 7] - (b[i + 7] & m);
    }
    r[16] = a[16] - (b[16] & m);
    r[17] = a[17] - (b[17] & m);
#endif /* WOLFSSL_SP_SMALL */
}

/* Mul a by scalar b and add into r. (r += a * b)
 *
 * r  A single precision integer.
 * a  A single precision integer.
 * b  A scalar.
 */
SP_NOINLINE static void sp_1024_mul_add_18(sp_digit* r, const sp_digit* a,
        const sp_digit b)
{
#ifdef WOLFSSL_SP_SMALL
    sp_int128 tb = b;
    sp_int128 t[4];
    int i;

    t[0] = 0;
    for (i = 0; i < 16; i += 4) {
        t[0] += (tb * a[i+0]) + r[i+0];
        t[1]  = (tb * a[i+1]) + r[i+1];
        t[2]  = (tb * a[i+2]) + r[i+2];
        t[3]  = (tb * a[i+3]) + r[i+3];
        r[i+0] = t[0] & 0x1ffffffffffffffL;
        t[1] += t[0] >> 57;
        r[i+1] = t[1] & 0x1ffffffffffffffL;
        t[2] += t[1] >> 57;
        r[i+2] = t[2] & 0x1ffffffffffffffL;
        t[3] += t[2] >> 57;
        r[i+3] = t[3] & 0x1ffffffffffffffL;
        t[0]  = t[3] >> 57;
    }
    t[0] += (tb * a[16]) + r[16];
    t[1]  = (tb * a[17]) + r[17];
    r[16] = t[0] & 0x1ffffffffffffffL;
    t[1] += t[0] >> 57;
    r[17] = t[1] & 0x1ffffffffffffffL;
    r[18] +=  (sp_digit)(t[1] >> 57);
#else
    sp_int128 tb = b;
    sp_int128 t[8];
    int i;

    t[0] = tb * a[0]; r[0] += (sp_digit)(t[0] & 0x1ffffffffffffffL);
    for (i = 0; i < 16; i += 8) {
        t[1] = tb * a[i+1];
        r[i+1] += (sp_digit)((t[0] >> 57) + (t[1] & 0x1ffffffffffffffL));
        t[2] = tb * a[i+2];
        r[i+2] += (sp_digit)((t[1] >> 57) + (t[2] & 0x1ffffffffffffffL));
        t[3] = tb * a[i+3];
        r[i+3] += (sp_digit)((t[2] >> 57) + (t[3] & 0x1ffffffffffffffL));
        t[4] = tb * a[i+4];
        r[i+4] += (sp_digit)((t[3] >> 57) + (t[4] & 0x1ffffffffffffffL));
        t[5] = tb * a[i+5];
        r[i+5] += (sp_digit)((t[4] >> 57) + (t[5] & 0x1ffffffffffffffL));
        t[6] = tb * a[i+6];
        r[i+6] += (sp_digit)((t[5] >> 57) + (t[6] & 0x1ffffffffffffffL));
        t[7] = tb * a[i+7];
        r[i+7] += (sp_digit)((t[6] >> 57) + (t[7] & 0x1ffffffffffffffL));
        t[0] = tb * a[i+8];
        r[i+8] += (sp_digit)((t[7] >> 57) + (t[0] & 0x1ffffffffffffffL));
    }
    t[1] = tb * a[17];
    r[17] += (sp_digit)((t[0] >> 57) + (t[1] & 0x1ffffffffffffffL));
    r[18] +=  (sp_digit)(t[1] >> 57);
#endif /* WOLFSSL_SP_SMALL */
}

/* Shift the result in the high 1024 bits down to the bottom.
 *
 * r  A single precision number.
 * a  A single precision number.
 */
static void sp_1024_mont_shift_18(sp_digit* r, const sp_digit* a)
{
#ifdef WOLFSSL_SP_SMALL
    int i;
    sp_uint64 n;

    n = a[17] >> 55;
    for (i = 0; i < 17; i++) {
        n += (sp_uint64)a[18 + i] << 2;
        r[i] = n & 0x1ffffffffffffffL;
        n >>= 57;
    }
    n += (sp_uint64)a[35] << 2;
    r[17] = n;
#else
    sp_uint64 n;
    int i;

    n  = (sp_uint64)a[17];
    n  = n >> 55U;
    for (i = 0; i < 16; i += 8) {
        n += (sp_uint64)a[i+18] << 2U; r[i+0] = n & 0x1ffffffffffffffUL; n >>= 57U;
        n += (sp_uint64)a[i+19] << 2U; r[i+1] = n & 0x1ffffffffffffffUL; n >>= 57U;
        n += (sp_uint64)a[i+20] << 2U; r[i+2] = n & 0x1ffffffffffffffUL; n >>= 57U;
        n += (sp_uint64)a[i+21] << 2U; r[i+3] = n & 0x1ffffffffffffffUL; n >>= 57U;
        n += (sp_uint64)a[i+22] << 2U; r[i+4] = n & 0x1ffffffffffffffUL; n >>= 57U;
        n += (sp_uint64)a[i+23] << 2U; r[i+5] = n & 0x1ffffffffffffffUL; n >>= 57U;
        n += (sp_uint64)a[i+24] << 2U; r[i+6] = n & 0x1ffffffffffffffUL; n >>= 57U;
        n += (sp_uint64)a[i+25] << 2U; r[i+7] = n & 0x1ffffffffffffffUL; n >>= 57U;
    }
    n += (sp_uint64)a[34] << 2U; r[16] = n & 0x1ffffffffffffffUL; n >>= 57U;
    n += (sp_uint64)a[35] << 2U; r[17] = n;
#endif /* WOLFSSL_SP_SMALL */
    XMEMSET(&r[18], 0, sizeof(*r) * 18U);
}

/* Reduce the number back to 1024 bits using Montgomery reduction.
 *
 * a   A single precision number to reduce in place.
 * m   The single precision number representing the modulus.
 * mp  The digit representing the negative inverse of m mod 2^n.
 */
static void sp_1024_mont_reduce_18(sp_digit* a, const sp_digit* m, sp_digit mp)
{
    int i;
    sp_digit mu;
    sp_digit over;

    sp_1024_norm_18(a + 18);

    if (mp != 1) {
        for (i=0; i<17; i++) {
            mu = (a[i] * mp) & 0x1ffffffffffffffL;
            sp_1024_mul_add_18(a+i, m, mu);
            a[i+1] += a[i] >> 57;
        }
        mu = (a[i] * mp) & 0x7fffffffffffffL;
        sp_1024_mul_add_18(a+i, m, mu);
        a[i+1] += a[i] >> 57;
        a[i] &= 0x1ffffffffffffffL;
    }
    else {
        for (i=0; i<17; i++) {
            mu = a[i] & 0x1ffffffffffffffL;
            sp_1024_mul_add_18(a+i, m, mu);
            a[i+1] += a[i] >> 57;
        }
        mu = a[i] & 0x7fffffffffffffL;
        sp_1024_mul_add_18(a+i, m, mu);
        a[i+1] += a[i] >> 57;
        a[i] &= 0x1ffffffffffffffL;
    }
    sp_1024_mont_shift_18(a, a);
    over = a[17] - m[17];
    sp_1024_cond_sub_18(a, a, m, ~((over - 1) >> 63));
    sp_1024_norm_18(a);
}

/* Multiply two Montgomery form numbers mod the modulus (prime).
 * (r = a * b mod m)
 *
 * r   Result of multiplication.
 * a   First number to multiply in Montgomery form.
 * b   Second number to multiply in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_1024_mont_mul_18(sp_digit* r, const sp_digit* a,
        const sp_digit* b, const sp_digit* m, sp_digit mp)
{
    sp_1024_mul_18(r, a, b);
    sp_1024_mont_reduce_18(r, m, mp);
}

/* Square the Montgomery form number. (r = a * a mod m)
 *
 * r   Result of squaring.
 * a   Number to square in Montgomery form.
 * m   Modulus (prime).
 * mp  Montgomery multiplier.
 */
SP_NOINLINE static void sp_1024_mont_sqr_18(sp_digit* r, const sp_digit* a,
        const sp_digit* m, sp_digit mp)
{
    sp_1024_sqr_18(r, a);
    sp_1024_mont_reduce_18(r, m, mp);
}

/* Mod-2 for the P1024 curve. */
static const uint8_t p1024_mod_minus_2[] = {
     6,0x06,  7,0x0f,  7,0x0b,  6,0x0c,  7,0x1e,  9,0x09,  7,0x0c,  7,0x1f,
     6,0x16,  6,0x06,  7,0x0e,  8,0x10,  6,0x03,  8,0x11,  6,0x0d,  7,0x14,
     9,0x12,  6,0x0f,  7,0x04,  9,0x0d,  6,0x00,  7,0x13,  6,0x01,  6,0x07,
     8,0x0d,  8,0x00,  6,0x06,  9,0x17,  6,0x14,  6,0x15,  6,0x11,  6,0x0b,
     9,0x0c,  6,0x1e, 13,0x14,  7,0x0e,  6,0x1d, 12,0x0a,  6,0x0b,  8,0x07,
     6,0x18,  6,0x0f,  6,0x10,  8,0x1c,  7,0x16,  7,0x02,  6,0x01,  6,0x13,
    10,0x15,  7,0x06,  8,0x14,  6,0x0c,  6,0x19,  7,0x10,  6,0x19,  6,0x19,
     9,0x16,  7,0x19,  6,0x1f,  6,0x17,  6,0x12,  8,0x02,  6,0x01,  6,0x04,
     6,0x15,  7,0x16,  6,0x04,  6,0x1f,  6,0x09,  7,0x06,  7,0x13,  7,0x09,
     6,0x0d, 10,0x18,  6,0x06,  6,0x11,  6,0x04,  6,0x01,  6,0x13,  8,0x06,
     6,0x0d,  8,0x13,  7,0x08,  6,0x08,  6,0x05,  7,0x0c,  7,0x0e,  7,0x15,
     6,0x05,  7,0x14, 10,0x19,  6,0x10,  6,0x16,  6,0x15,  7,0x1f,  6,0x14,
     6,0x0a, 10,0x11,  6,0x01,  7,0x05,  7,0x08,  8,0x0a,  7,0x1e,  7,0x1c,
     6,0x1c,  7,0x09, 10,0x18,  7,0x1c, 10,0x06,  6,0x0a,  6,0x07,  6,0x19,
     7,0x06,  6,0x0d,  7,0x0f,  7,0x0b,  7,0x05,  6,0x11,  6,0x1c,  7,0x1f,
     6,0x1e,  7,0x18,  6,0x1e,  6,0x00,  6,0x03,  6,0x02,  7,0x10,  6,0x0b,
     6,0x1b,  7,0x10,  6,0x00,  8,0x11,  7,0x1b,  6,0x18,  6,0x01,  7,0x0c,
     7,0x1d,  7,0x13,  6,0x08,  7,0x1b,  8,0x13,  7,0x16, 13,0x1d,  7,0x1f,
     6,0x0a,  6,0x01,  7,0x1f,  6,0x14,  1,0x01
};

/* Invert the number, in Montgomery form, modulo the modulus (prime) of the
 * P1024 curve. (r = 1 / a mod m)
 *
 * r   Inverse result.
 * a   Number to invert.
 * td  Temporary data.
 */
static void sp_1024_mont_inv_18(sp_digit* r, const sp_digit* a,
        sp_digit* td)
{
    sp_digit* t = &td[32 * 2 * 18];
    int i;
    int j;
    sp_digit* table[32];

    for (i = 0; i < 32; i++) {
        table[i] = &td[2 * 18 * i];
    }
    XMEMCPY(table[0], a, sizeof(sp_digit) * 18);
    for (i = 1; i < 6; i++) {
        sp_1024_mont_sqr_18(table[0], table[0], p1024_mod, p1024_mp_mod);
    }
    for (i = 1; i < 32; i++) {
        sp_1024_mont_mul_18(table[i], table[i-1], a, p1024_mod, p1024_mp_mod);
    }

    XMEMCPY(t, table[p1024_mod_minus_2[1]], sizeof(sp_digit) * 18);
    for (i = 2; i < (int)sizeof(p1024_mod_minus_2) - 2; i += 2) {
        for (j = 0; j < p1024_mod_minus_2[i]; j++) {
            sp_1024_mont_sqr_18(t, t, p1024_mod, p1024_mp_mod);
        }
        sp_1024_mont_mul_18(t, t, table[p1024_mod_minus_2[i+1]], p1024_mod,
            p1024_mp_mod);
    }
    sp_1024_mont_sqr_18(t, t, p1024_mod, p1024_mp_mod);
    sp_1024_mont_mul_18(r, t, a, p1024_mod, p1024_mp_mod);
}

/* Map the Montgomery form projective coordinate point to an affine point.
 *
 * r  Resulting affine coordinate point.
 * p  Montgomery form projective coordinate point.
 * t  Temporary ordinate data.
 */
static void sp_1024_map_18(sp_point_1024* r, const sp_point_1024* p,
    sp_digit* t)
{
    sp_digit* t1 = t;
    sp_digit* t2 = t + 2*18;
    sp_int64 n;

    sp_1024_mont_inv_18(t1, p->z, t + 2*18);

    sp_1024_mont_sqr_18(t2, t1, p1024_mod, p1024_mp_mod);
    sp_1024_mont_mul_18(t1, t2, t1, p1024_mod, p1024_mp_mod);

    /* x /= z^2 */
    sp_1024_mont_mul_18(r->x, p->x, t2, p1024_mod, p1024_mp_mod);
    XMEMSET(r->x + 18, 0, sizeof(sp_digit) * 18U);
    sp_1024_mont_reduce_18(r->x, p1024_mod, p1024_mp_mod);
    /* Reduce x to less than modulus */
    n = sp_1024_cmp_18(r->x, p1024_mod);
    sp_1024_cond_sub_18(r->x, r->x, p1024_mod, ~(n >> 56));
    sp_1024_norm_18(r->x);

    /* y /= z^3 */
    sp_1024_mont_mul_18(r->y, p->y, t1, p1024_mod, p1024_mp_mod);
    XMEMSET(r->y + 18, 0, sizeof(sp_digit) * 18U);
    sp_1024_mont_reduce_18(r->y, p1024_mod, p1024_mp_mod);
    /* Reduce y to less than modulus */
    n = sp_1024_cmp_18(r->y, p1024_mod);
    sp_1024_cond_sub_18(r->y, r->y, p1024_mod, ~(n >> 56));
    sp_1024_norm_18(r->y);

    XMEMSET(r->z, 0, sizeof(r->z) / 2);
    r->z[0] = 1;
}

/* Add two Montgomery form numbers (r = a + b % m).
 *
 * r   Result of addition.
 * a   First number to add in Montgomery form.
 * b   Second number to add in Montgomery form.
 * m   Modulus (prime).
 */
static void sp_1024_mont_add_18(sp_digit* r, const sp_digit* a, const sp_digit* b,
        const sp_digit* m)
{
    sp_digit over;
    (void)sp_1024_add_18(r, a, b);
    sp_1024_norm_18(r);
    over = r[17] - m[17];
    sp_1024_cond_sub_18(r, r, m, ~((over - 1) >> 63));
    sp_1024_norm_18(r);
}

/* Double a Montgomery form number (r = a + a % m).
 *
 * r   Result of doubling.
 * a   Number to double in Montgomery form.
 * m   Modulus (prime).
 */
static void sp_1024_mont_dbl_18(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    sp_digit over;
    (void)sp_1024_add_18(r, a, a);
    sp_1024_norm_18(r);
    over = r[17] - m[17];
    sp_1024_cond_sub_18(r, r, m, ~((over - 1) >> 63));
    sp_1024_norm_18(r);
}

/* Triple a Montgomery form number (r = a + a + a % m).
 *
 * r   Result of Tripling.
 * a   Number to triple in Montgomery form.
 * m   Modulus (prime).
 */
static void sp_1024_mont_tpl_18(sp_digit* r, const sp_digit* a, const sp_digit* m)
{
    sp_digit over;
    (void)sp_1024_add_18(r, a, a);
    sp_1024_norm_18(r);
    over = r[17] - m[17];
    sp_1024_cond_sub_18(r, r, m, ~((over - 1) >> 63));
    sp_1024_norm_18(r);
    (void)sp_1024_add_18(r, r, a);
    sp_1024_norm_18(r);
    over = r[17] - m[17];
    sp_1024_cond_sub_18(r, r, m, ~((over - 1) >> 63));
    sp_1024_norm_18(r);
}

/* Subtract two Montgomery form numbers (r = a - b % m).
 *
 * r   Result of subtration.
 * a   Number to subtract from in Montgomery form.
 * b   Number to subtract with in Montgomery form.
 * m   Modulus (prime).
 */
static void sp_1024_mont_sub_18(sp_digit* r, const sp_digit* a, const sp_digit* b,
        const sp_digit* m)
{
    (void)sp_1024_sub_18(r, a, b);
    sp_1024_norm_18(r);
    sp_1024_cond_add_18(r, r, m, r[17] >> 55);
    sp_1024_norm_18(r);
}

/* Shift number left one bit.
 * Bottom bit is lost.
 *
 * r  Result of shift.
 * a  Number to shift.
 */
SP_NOINLINE static void sp_1024_rshift1_18(sp_digit* r, const sp_digit* a)
{
#ifdef WOLFSSL_SP_SMALL
    int i;

    for (i=0; i<17; i++) {
        r[i] = (a[i] >> 1) + ((a[i + 1] << 56) & 0x1ffffffffffffffL);
    }
#else
    r[0] = (a[0] >> 1) + ((a[1] << 56) & 0x1ffffffffffffffL);
    r[1] = (a[1] >> 1) + ((a[2] << 56) & 0x1ffffffffffffffL);
    r[2] = (a[2] >> 1) + ((a[3] << 56) & 0x1ffffffffffffffL);
    r[3] = (a[3] >> 1) + ((a[4] << 56) & 0x1ffffffffffffffL);
    r[4] = (a[4] >> 1) + ((a[5] << 56) & 0x1ffffffffffffffL);
    r[5] = (a[5] >> 1) + ((a[6] << 56) & 0x1ffffffffffffffL);
    r[6] = (a[6] >> 1) + ((a[7] << 56) & 0x1ffffffffffffffL);
    r[7] = (a[7] >> 1) + ((a[8] << 56) & 0x1ffffffffffffffL);
    r[8] = (a[8] >> 1) + ((a[9] << 56) & 0x1ffffffffffffffL);
    r[9] = (a[9] >> 1) + ((a[10] << 56) & 0x1ffffffffffffffL);
    r[10] = (a[10] >> 1) + ((a[11] << 56) & 0x1ffffffffffffffL);
    r[11] = (a[11] >> 1) + ((a[12] << 56) & 0x1ffffffffffffffL);
    r[12] = (a[12] >> 1) + ((a[13] << 56) & 0x1ffffffffffffffL);
    r[13] = (a[13] >> 1) + ((a[14] << 56) & 0x1ffffffffffffffL);
    r[14] = (a[14] >> 1) + ((a[15] << 56) & 0x1ffffffffffffffL);
    r[15] = (a[15] >> 1) + ((a[16] << 56) & 0x1ffffffffffffffL);
    r[16] = (a[16] >> 1) + ((a[17] << 56) & 0x1ffffffffffffffL);
#endif
    r[17] = a[17] >> 1;
}

/* Divide the number by 2 mod the modulus (prime). (r = a / 2 % m)
 *
 * r  Result of division by 2.
 * a  Number to divide.
 * m  Modulus (prime).
 */
static void sp_1024_mont_div2_18(sp_digit* r, const sp_digit* a,
        const sp_digit* m)
{
    sp_1024_cond_add_18(r, a, m, 0 - (a[0] & 1));
    sp_1024_norm_18(r);
    sp_1024_rshift1_18(r, r);
}

/* Double the Montgomery form projective point p.
 *
 * r  Result of doubling point.
 * p  Point to double.
 * t  Temporary ordinate data.
 */
static void sp_1024_proj_point_dbl_18(sp_point_1024* r, const sp_point_1024* p,
    sp_digit* t)
{
    sp_digit* t1 = t;
    sp_digit* t2 = t + 2*18;
    sp_digit* x;
    sp_digit* y;
    sp_digit* z;

    x = r->x;
    y = r->y;
    z = r->z;
    /* Put infinity into result. */
    if (r != p) {
        r->infinity = p->infinity;
    }

    /* T1 = Z * Z */
    sp_1024_mont_sqr_18(t1, p->z, p1024_mod, p1024_mp_mod);
    /* Z = Y * Z */
    sp_1024_mont_mul_18(z, p->y, p->z, p1024_mod, p1024_mp_mod);
    /* Z = 2Z */
    sp_1024_mont_dbl_18(z, z, p1024_mod);
    /* T2 = X - T1 */
    sp_1024_mont_sub_18(t2, p->x, t1, p1024_mod);
    /* T1 = X + T1 */
    sp_1024_mont_add_18(t1, p->x, t1, p1024_mod);
    /* T2 = T1 * T2 */
    sp_1024_mont_mul_18(t2, t1, t2, p1024_mod, p1024_mp_mod);
    /* T1 = 3T2 */
    sp_1024_mont_tpl_18(t1, t2, p1024_mod);
    /* Y = 2Y */
    sp_1024_mont_dbl_18(y, p->y, p1024_mod);
    /* Y = Y * Y */
    sp_1024_mont_sqr_18(y, y, p1024_mod, p1024_mp_mod);
    /* T2 = Y * Y */
    sp_1024_mont_sqr_18(t2, y, p1024_mod, p1024_mp_mod);
    /* T2 = T2/2 */
    sp_1024_mont_div2_18(t2, t2, p1024_mod);
    /* Y = Y * X */
    sp_1024_mont_mul_18(y, y, p->x, p1024_mod, p1024_mp_mod);
    /* X = T1 * T1 */
    sp_1024_mont_sqr_18(x, t1, p1024_mod, p1024_mp_mod);
    /* X = X - Y */
    sp_1024_mont_sub_18(x, x, y, p1024_mod);
    /* X = X - Y */
    sp_1024_mont_sub_18(x, x, y, p1024_mod);
    /* Y = Y - X */
    sp_1024_mont_sub_18(y, y, x, p1024_mod);
    /* Y = Y * T1 */
    sp_1024_mont_mul_18(y, y, t1, p1024_mod, p1024_mp_mod);
    /* Y = Y - T2 */
    sp_1024_mont_sub_18(y, y, t2, p1024_mod);
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_1024_proj_point_dbl_18_ctx {
    int state;
    sp_digit* t1;
    sp_digit* t2;
    sp_digit* x;
    sp_digit* y;
    sp_digit* z;
} sp_1024_proj_point_dbl_18_ctx;

/* Double the Montgomery form projective point p.
 *
 * r  Result of doubling point.
 * p  Point to double.
 * t  Temporary ordinate data.
 */
static int sp_1024_proj_point_dbl_18_nb(sp_ecc_ctx_t* sp_ctx, sp_point_1024* r,
        const sp_point_1024* p, sp_digit* t)
{
    int err = FP_WOULDBLOCK;
    sp_1024_proj_point_dbl_18_ctx* ctx = (sp_1024_proj_point_dbl_18_ctx*)sp_ctx->data;

    typedef char ctx_size_test[sizeof(sp_1024_proj_point_dbl_18_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    switch (ctx->state) {
    case 0:
        ctx->t1 = t;
        ctx->t2 = t + 2*18;
        ctx->x = r->x;
        ctx->y = r->y;
        ctx->z = r->z;

        /* Put infinity into result. */
        if (r != p) {
            r->infinity = p->infinity;
        }
        ctx->state = 1;
        break;
    case 1:
        /* T1 = Z * Z */
        sp_1024_mont_sqr_18(ctx->t1, p->z, p1024_mod, p1024_mp_mod);
        ctx->state = 2;
        break;
    case 2:
        /* Z = Y * Z */
        sp_1024_mont_mul_18(ctx->z, p->y, p->z, p1024_mod, p1024_mp_mod);
        ctx->state = 3;
        break;
    case 3:
        /* Z = 2Z */
        sp_1024_mont_dbl_18(ctx->z, ctx->z, p1024_mod);
        ctx->state = 4;
        break;
    case 4:
        /* T2 = X - T1 */
        sp_1024_mont_sub_18(ctx->t2, p->x, ctx->t1, p1024_mod);
        ctx->state = 5;
        break;
    case 5:
        /* T1 = X + T1 */
        sp_1024_mont_add_18(ctx->t1, p->x, ctx->t1, p1024_mod);
        ctx->state = 6;
        break;
    case 6:
        /* T2 = T1 * T2 */
        sp_1024_mont_mul_18(ctx->t2, ctx->t1, ctx->t2, p1024_mod, p1024_mp_mod);
        ctx->state = 7;
        break;
    case 7:
        /* T1 = 3T2 */
        sp_1024_mont_tpl_18(ctx->t1, ctx->t2, p1024_mod);
        ctx->state = 8;
        break;
    case 8:
        /* Y = 2Y */
        sp_1024_mont_dbl_18(ctx->y, p->y, p1024_mod);
        ctx->state = 9;
        break;
    case 9:
        /* Y = Y * Y */
        sp_1024_mont_sqr_18(ctx->y, ctx->y, p1024_mod, p1024_mp_mod);
        ctx->state = 10;
        break;
    case 10:
        /* T2 = Y * Y */
        sp_1024_mont_sqr_18(ctx->t2, ctx->y, p1024_mod, p1024_mp_mod);
        ctx->state = 11;
        break;
    case 11:
        /* T2 = T2/2 */
        sp_1024_mont_div2_18(ctx->t2, ctx->t2, p1024_mod);
        ctx->state = 12;
        break;
    case 12:
        /* Y = Y * X */
        sp_1024_mont_mul_18(ctx->y, ctx->y, p->x, p1024_mod, p1024_mp_mod);
        ctx->state = 13;
        break;
    case 13:
        /* X = T1 * T1 */
        sp_1024_mont_sqr_18(ctx->x, ctx->t1, p1024_mod, p1024_mp_mod);
        ctx->state = 14;
        break;
    case 14:
        /* X = X - Y */
        sp_1024_mont_sub_18(ctx->x, ctx->x, ctx->y, p1024_mod);
        ctx->state = 15;
        break;
    case 15:
        /* X = X - Y */
        sp_1024_mont_sub_18(ctx->x, ctx->x, ctx->y, p1024_mod);
        ctx->state = 16;
        break;
    case 16:
        /* Y = Y - X */
        sp_1024_mont_sub_18(ctx->y, ctx->y, ctx->x, p1024_mod);
        ctx->state = 17;
        break;
    case 17:
        /* Y = Y * T1 */
        sp_1024_mont_mul_18(ctx->y, ctx->y, ctx->t1, p1024_mod, p1024_mp_mod);
        ctx->state = 18;
        break;
    case 18:
        /* Y = Y - T2 */
        sp_1024_mont_sub_18(ctx->y, ctx->y, ctx->t2, p1024_mod);
        ctx->state = 19;
        /* fall-through */
    case 19:
        err = MP_OKAY;
        break;
    }

    if (err == MP_OKAY && ctx->state != 19) {
        err = FP_WOULDBLOCK;
    }

    return err;
}
#endif /* WOLFSSL_SP_NONBLOCK */
/* Compare two numbers to determine if they are equal.
 * Constant time implementation.
 *
 * a  First number to compare.
 * b  Second number to compare.
 * returns 1 when equal and 0 otherwise.
 */
static int sp_1024_cmp_equal_18(const sp_digit* a, const sp_digit* b)
{
    return ((a[0] ^ b[0]) | (a[1] ^ b[1]) | (a[2] ^ b[2]) |
            (a[3] ^ b[3]) | (a[4] ^ b[4]) | (a[5] ^ b[5]) |
            (a[6] ^ b[6]) | (a[7] ^ b[7]) | (a[8] ^ b[8]) |
            (a[9] ^ b[9]) | (a[10] ^ b[10]) | (a[11] ^ b[11]) |
            (a[12] ^ b[12]) | (a[13] ^ b[13]) | (a[14] ^ b[14]) |
            (a[15] ^ b[15]) | (a[16] ^ b[16]) | (a[17] ^ b[17])) == 0;
}

/* Returns 1 if the number of zero.
 * Implementation is constant time.
 *
 * a  Number to check.
 * returns 1 if the number is zero and 0 otherwise.
 */
static int sp_1024_iszero_18(const sp_digit* a)
{
    return (a[0] | a[1] | a[2] | a[3] | a[4] | a[5] | a[6] | a[7] |
            a[8] | a[9] | a[10] | a[11] | a[12] | a[13] | a[14] | a[15] |
            a[16] | a[17]) == 0;
}


/* Add two Montgomery form projective points.
 *
 * r  Result of addition.
 * p  First point to add.
 * q  Second point to add.
 * t  Temporary ordinate data.
 */
static void sp_1024_proj_point_add_18(sp_point_1024* r,
        const sp_point_1024* p, const sp_point_1024* q, sp_digit* t)
{
    sp_digit* t6 = t;
    sp_digit* t1 = t + 2*18;
    sp_digit* t2 = t + 4*18;
    sp_digit* t3 = t + 6*18;
    sp_digit* t4 = t + 8*18;
    sp_digit* t5 = t + 10*18;

    /* U1 = X1*Z2^2 */
    sp_1024_mont_sqr_18(t1, q->z, p1024_mod, p1024_mp_mod);
    sp_1024_mont_mul_18(t3, t1, q->z, p1024_mod, p1024_mp_mod);
    sp_1024_mont_mul_18(t1, t1, p->x, p1024_mod, p1024_mp_mod);
    /* U2 = X2*Z1^2 */
    sp_1024_mont_sqr_18(t2, p->z, p1024_mod, p1024_mp_mod);
    sp_1024_mont_mul_18(t4, t2, p->z, p1024_mod, p1024_mp_mod);
    sp_1024_mont_mul_18(t2, t2, q->x, p1024_mod, p1024_mp_mod);
    /* S1 = Y1*Z2^3 */
    sp_1024_mont_mul_18(t3, t3, p->y, p1024_mod, p1024_mp_mod);
    /* S2 = Y2*Z1^3 */
    sp_1024_mont_mul_18(t4, t4, q->y, p1024_mod, p1024_mp_mod);

    /* Check double */
    if ((~p->infinity) & (~q->infinity) &
            sp_1024_cmp_equal_18(t2, t1) &
            sp_1024_cmp_equal_18(t4, t3)) {
        sp_1024_proj_point_dbl_18(r, p, t);
    }
    else {
        sp_digit* x = t6;
        sp_digit* y = t1;
        sp_digit* z = t2;

        /* H = U2 - U1 */
        sp_1024_mont_sub_18(t2, t2, t1, p1024_mod);
        /* R = S2 - S1 */
        sp_1024_mont_sub_18(t4, t4, t3, p1024_mod);
        /* X3 = R^2 - H^3 - 2*U1*H^2 */
        sp_1024_mont_sqr_18(t5, t2, p1024_mod, p1024_mp_mod);
        sp_1024_mont_mul_18(y, t1, t5, p1024_mod, p1024_mp_mod);
        sp_1024_mont_mul_18(t5, t5, t2, p1024_mod, p1024_mp_mod);
        /* Z3 = H*Z1*Z2 */
        sp_1024_mont_mul_18(z, p->z, t2, p1024_mod, p1024_mp_mod);
        sp_1024_mont_mul_18(z, z, q->z, p1024_mod, p1024_mp_mod);
        sp_1024_mont_sqr_18(x, t4, p1024_mod, p1024_mp_mod);
        sp_1024_mont_sub_18(x, x, t5, p1024_mod);
        sp_1024_mont_mul_18(t5, t5, t3, p1024_mod, p1024_mp_mod);
        sp_1024_mont_dbl_18(t3, y, p1024_mod);
        sp_1024_mont_sub_18(x, x, t3, p1024_mod);
        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
        sp_1024_mont_sub_18(y, y, x, p1024_mod);
        sp_1024_mont_mul_18(y, y, t4, p1024_mod, p1024_mp_mod);
        sp_1024_mont_sub_18(y, y, t5, p1024_mod);
        {
            int i;
            sp_digit maskp = 0 - (q->infinity & (!p->infinity));
            sp_digit maskq = 0 - (p->infinity & (!q->infinity));
            sp_digit maskt = ~(maskp | maskq);
            sp_digit inf = (sp_digit)(p->infinity & q->infinity);

            for (i = 0; i < 18; i++) {
                r->x[i] = (p->x[i] & maskp) | (q->x[i] & maskq) |
                          (x[i] & maskt);
            }
            for (i = 0; i < 18; i++) {
                r->y[i] = (p->y[i] & maskp) | (q->y[i] & maskq) |
                          (y[i] & maskt);
            }
            for (i = 0; i < 18; i++) {
                r->z[i] = (p->z[i] & maskp) | (q->z[i] & maskq) |
                          (z[i] & maskt);
            }
            r->z[0] |= inf;
            r->infinity = (word32)inf;
        }
    }
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_1024_proj_point_add_18_ctx {
    int state;
    sp_1024_proj_point_dbl_18_ctx dbl_ctx;
    const sp_point_1024* ap[2];
    sp_point_1024* rp[2];
    sp_digit* t1;
    sp_digit* t2;
    sp_digit* t3;
    sp_digit* t4;
    sp_digit* t5;
    sp_digit* t6;
    sp_digit* x;
    sp_digit* y;
    sp_digit* z;
} sp_1024_proj_point_add_18_ctx;

/* Add two Montgomery form projective points.
 *
 * r  Result of addition.
 * p  First point to add.
 * q  Second point to add.
 * t  Temporary ordinate data.
 */
static int sp_1024_proj_point_add_18_nb(sp_ecc_ctx_t* sp_ctx, sp_point_1024* r,
    const sp_point_1024* p, const sp_point_1024* q, sp_digit* t)
{
    int err = FP_WOULDBLOCK;
    sp_1024_proj_point_add_18_ctx* ctx = (sp_1024_proj_point_add_18_ctx*)sp_ctx->data;

    /* Ensure only the first point is the same as the result. */
    if (q == r) {
        const sp_point_1024* a = p;
        p = q;
        q = a;
    }

    typedef char ctx_size_test[sizeof(sp_1024_proj_point_add_18_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    switch (ctx->state) {
    case 0: /* INIT */
        ctx->t6 = t;
        ctx->t1 = t + 2*18;
        ctx->t2 = t + 4*18;
        ctx->t3 = t + 6*18;
        ctx->t4 = t + 8*18;
        ctx->t5 = t + 10*18;
        ctx->x = ctx->t6;
        ctx->y = ctx->t1;
        ctx->z = ctx->t2;

        ctx->state = 1;
        break;
    case 1:
        /* U1 = X1*Z2^2 */
        sp_1024_mont_sqr_18(ctx->t1, q->z, p1024_mod, p1024_mp_mod);
        ctx->state = 2;
        break;
    case 2:
        sp_1024_mont_mul_18(ctx->t3, ctx->t1, q->z, p1024_mod, p1024_mp_mod);
        ctx->state = 3;
        break;
    case 3:
        sp_1024_mont_mul_18(ctx->t1, ctx->t1, p->x, p1024_mod, p1024_mp_mod);
        ctx->state = 4;
        break;
    case 4:
        /* U2 = X2*Z1^2 */
        sp_1024_mont_sqr_18(ctx->t2, p->z, p1024_mod, p1024_mp_mod);
        ctx->state = 5;
        break;
    case 5:
        sp_1024_mont_mul_18(ctx->t4, ctx->t2, p->z, p1024_mod, p1024_mp_mod);
        ctx->state = 6;
        break;
    case 6:
        sp_1024_mont_mul_18(ctx->t2, ctx->t2, q->x, p1024_mod, p1024_mp_mod);
        ctx->state = 7;
        break;
    case 7:
        /* S1 = Y1*Z2^3 */
        sp_1024_mont_mul_18(ctx->t3, ctx->t3, p->y, p1024_mod, p1024_mp_mod);
        ctx->state = 8;
        break;
    case 8:
        /* S2 = Y2*Z1^3 */
        sp_1024_mont_mul_18(ctx->t4, ctx->t4, q->y, p1024_mod, p1024_mp_mod);
        ctx->state = 9;
        break;
    case 9:
        /* Check double */
        if ((~p->infinity) & (~q->infinity) &
                sp_1024_cmp_equal_18(ctx->t2, ctx->t1) &
                sp_1024_cmp_equal_18(ctx->t4, ctx->t3)) {
            XMEMSET(&ctx->dbl_ctx, 0, sizeof(ctx->dbl_ctx));
            sp_1024_proj_point_dbl_18(r, p, t);
            ctx->state = 25;
        }
        else {
            ctx->state = 10;
        }
        break;
    case 10:
        /* H = U2 - U1 */
        sp_1024_mont_sub_18(ctx->t2, ctx->t2, ctx->t1, p1024_mod);
        ctx->state = 11;
        break;
    case 11:
        /* R = S2 - S1 */
        sp_1024_mont_sub_18(ctx->t4, ctx->t4, ctx->t3, p1024_mod);
        ctx->state = 12;
        break;
    case 12:
        /* X3 = R^2 - H^3 - 2*U1*H^2 */
        sp_1024_mont_sqr_18(ctx->t5, ctx->t2, p1024_mod, p1024_mp_mod);
        ctx->state = 13;
        break;
    case 13:
        sp_1024_mont_mul_18(ctx->y, ctx->t1, ctx->t5, p1024_mod, p1024_mp_mod);
        ctx->state = 14;
        break;
    case 14:
        sp_1024_mont_mul_18(ctx->t5, ctx->t5, ctx->t2, p1024_mod, p1024_mp_mod);
        ctx->state = 15;
        break;
    case 15:
        /* Z3 = H*Z1*Z2 */
        sp_1024_mont_mul_18(ctx->z, p->z, ctx->t2, p1024_mod, p1024_mp_mod);
        ctx->state = 16;
        break;
    case 16:
        sp_1024_mont_mul_18(ctx->z, ctx->z, q->z, p1024_mod, p1024_mp_mod);
        ctx->state = 17;
        break;
    case 17:
        sp_1024_mont_sqr_18(ctx->x, ctx->t4, p1024_mod, p1024_mp_mod);
        ctx->state = 18;
        break;
    case 18:
        sp_1024_mont_sub_18(ctx->x, ctx->x, ctx->t5, p1024_mod);
        ctx->state = 19;
        break;
    case 19:
        sp_1024_mont_mul_18(ctx->t5, ctx->t5, ctx->t3, p1024_mod, p1024_mp_mod);
        ctx->state = 20;
        break;
    case 20:
        sp_1024_mont_dbl_18(ctx->t3, ctx->y, p1024_mod);
        sp_1024_mont_sub_18(ctx->x, ctx->x, ctx->t3, p1024_mod);
        ctx->state = 21;
        break;
    case 21:
        /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
        sp_1024_mont_sub_18(ctx->y, ctx->y, ctx->x, p1024_mod);
        ctx->state = 22;
        break;
    case 22:
        sp_1024_mont_mul_18(ctx->y, ctx->y, ctx->t4, p1024_mod, p1024_mp_mod);
        ctx->state = 23;
        break;
    case 23:
        sp_1024_mont_sub_18(ctx->y, ctx->y, ctx->t5, p1024_mod);
        ctx->state = 24;
        break;
    case 24:
    {
        {
            int i;
            sp_digit maskp = 0 - (q->infinity & (!p->infinity));
            sp_digit maskq = 0 - (p->infinity & (!q->infinity));
            sp_digit maskt = ~(maskp | maskq);
            sp_digit inf = (sp_digit)(p->infinity & q->infinity);

            for (i = 0; i < 18; i++) {
                r->x[i] = (p->x[i] & maskp) | (q->x[i] & maskq) |
                          (ctx->x[i] & maskt);
            }
            for (i = 0; i < 18; i++) {
                r->y[i] = (p->y[i] & maskp) | (q->y[i] & maskq) |
                          (ctx->y[i] & maskt);
            }
            for (i = 0; i < 18; i++) {
                r->z[i] = (p->z[i] & maskp) | (q->z[i] & maskq) |
                          (ctx->z[i] & maskt);
            }
            r->z[0] |= inf;
            r->infinity = (word32)inf;
        }
        ctx->state = 25;
        break;
    }
    case 25:
        err = MP_OKAY;
        break;
    }

    if (err == MP_OKAY && ctx->state != 25) {
        err = FP_WOULDBLOCK;
    }
    return err;
}
#endif /* WOLFSSL_SP_NONBLOCK */

#ifdef WOLFSSL_SP_SMALL
/* Multiply the point by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * Small implementation using add and double that is cache attack resistant but
 * allocates memory rather than use large stacks.
 * 1024 adds and doubles.
 *
 * r     Resulting point.
 * g     Point to multiply.
 * k     Scalar to multiply by.
 * map   Indicates whether to convert result to affine.
 * ct    Constant time required.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_1024_ecc_mulmod_18(sp_point_1024* r, const sp_point_1024* g,
        const sp_digit* k, int map, int ct, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_1024* t = NULL;
    sp_digit* tmp = NULL;
#else
    sp_point_1024 t[3];
    sp_digit tmp[2 * 18 * 37];
#endif
    sp_digit n;
    int i;
    int c;
    int y;
    int err = MP_OKAY;

    /* Implementation is constant time. */
    (void)ct;
    (void)heap;

#ifdef WOLFSSL_SP_SMALL_STACK
    t = (sp_point_1024*)XMALLOC(sizeof(sp_point_1024) * 3, heap,
                                     DYNAMIC_TYPE_ECC);
    if (t == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 18 * 37, heap,
                                 DYNAMIC_TYPE_ECC);
        if (tmp == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        XMEMSET(t, 0, sizeof(sp_point_1024) * 3);

        /* t[0] = {0, 0, 1} * norm */
        t[0].infinity = 1;
        /* t[1] = {g->x, g->y, g->z} * norm */
        err = sp_1024_mod_mul_norm_18(t[1].x, g->x, p1024_mod);
    }
    if (err == MP_OKAY)
        err = sp_1024_mod_mul_norm_18(t[1].y, g->y, p1024_mod);
    if (err == MP_OKAY)
        err = sp_1024_mod_mul_norm_18(t[1].z, g->z, p1024_mod);

    if (err == MP_OKAY) {
        i = 17;
        c = 55;
        n = k[i--] << (57 - c);
        for (; ; c--) {
            if (c == 0) {
                if (i == -1)
                    break;

                n = k[i--];
                c = 57;
            }

            y = (n >> 56) & 1;
            n <<= 1;

            sp_1024_proj_point_add_18(&t[y^1], &t[0], &t[1], tmp);

            XMEMCPY(&t[2], (void*)(((size_t)&t[0] & addr_mask[y^1]) +
                                   ((size_t)&t[1] & addr_mask[y])),
                    sizeof(sp_point_1024));
            sp_1024_proj_point_dbl_18(&t[2], &t[2], tmp);
            XMEMCPY((void*)(((size_t)&t[0] & addr_mask[y^1]) +
                            ((size_t)&t[1] & addr_mask[y])), &t[2],
                    sizeof(sp_point_1024));
        }

        if (map != 0) {
            sp_1024_map_18(r, &t[0], tmp);
        }
        else {
            XMEMCPY(r, &t[0], sizeof(sp_point_1024));
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (tmp != NULL)
#endif
    {
        ForceZero(tmp, sizeof(sp_digit) * 2 * 18 * 37);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
    #endif
    }
#ifdef WOLFSSL_SP_SMALL_STACK
    if (t != NULL)
#endif
    {
        ForceZero(t, sizeof(sp_point_1024) * 3);
    #ifdef WOLFSSL_SP_SMALL_STACK
        XFREE(t, heap, DYNAMIC_TYPE_ECC);
    #endif
    }

    return err;
}

#ifdef WOLFSSL_SP_NONBLOCK
typedef struct sp_1024_ecc_mulmod_18_ctx {
    int state;
    union {
        sp_1024_proj_point_dbl_18_ctx dbl_ctx;
        sp_1024_proj_point_add_18_ctx add_ctx;
    };
    sp_point_1024 t[3];
    sp_digit tmp[2 * 18 * 37];
    sp_digit n;
    int i;
    int c;
    int y;
} sp_1024_ecc_mulmod_18_ctx;

static int sp_1024_ecc_mulmod_18_nb(sp_ecc_ctx_t* sp_ctx, sp_point_1024* r,
    const sp_point_1024* g, const sp_digit* k, int map, int ct, void* heap)
{
    int err = FP_WOULDBLOCK;
    sp_1024_ecc_mulmod_18_ctx* ctx = (sp_1024_ecc_mulmod_18_ctx*)sp_ctx->data;

    typedef char ctx_size_test[sizeof(sp_1024_ecc_mulmod_18_ctx) >= sizeof(*sp_ctx) ? -1 : 1];
    (void)sizeof(ctx_size_test);

    /* Implementation is constant time. */
    (void)ct;

    switch (ctx->state) {
    case 0: /* INIT */
        XMEMSET(ctx->t, 0, sizeof(sp_point_1024) * 3);
        ctx->i = 17;
        ctx->c = 55;
        ctx->n = k[ctx->i--] << (57 - ctx->c);

        /* t[0] = {0, 0, 1} * norm */
        ctx->t[0].infinity = 1;
        ctx->state = 1;
        break;
    case 1: /* T1X */
        /* t[1] = {g->x, g->y, g->z} * norm */
        err = sp_1024_mod_mul_norm_18(ctx->t[1].x, g->x, p1024_mod);
        ctx->state = 2;
        break;
    case 2: /* T1Y */
        err = sp_1024_mod_mul_norm_18(ctx->t[1].y, g->y, p1024_mod);
        ctx->state = 3;
        break;
    case 3: /* T1Z */
        err = sp_1024_mod_mul_norm_18(ctx->t[1].z, g->z, p1024_mod);
        ctx->state = 4;
        break;
    case 4: /* ADDPREP */
        if (ctx->c == 0) {
            if (ctx->i == -1) {
                ctx->state = 7;
                break;
            }

            ctx->n = k[ctx->i--];
            ctx->c = 57;
        }
        ctx->y = (ctx->n >> 56) & 1;
        ctx->n <<= 1;
        XMEMSET(&ctx->add_ctx, 0, sizeof(ctx->add_ctx));
        ctx->state = 5;
        break;
    case 5: /* ADD */
        err = sp_1024_proj_point_add_18_nb((sp_ecc_ctx_t*)&ctx->add_ctx,
            &ctx->t[ctx->y^1], &ctx->t[0], &ctx->t[1], ctx->tmp);
        if (err == MP_OKAY) {
            XMEMCPY(&ctx->t[2], (void*)(((size_t)&ctx->t[0] & addr_mask[ctx->y^1]) +
                                        ((size_t)&ctx->t[1] & addr_mask[ctx->y])),
                    sizeof(sp_point_1024));
            XMEMSET(&ctx->dbl_ctx, 0, sizeof(ctx->dbl_ctx));
            ctx->state = 6;
        }
        break;
    case 6: /* DBL */
        err = sp_1024_proj_point_dbl_18_nb((sp_ecc_ctx_t*)&ctx->dbl_ctx, &ctx->t[2],
            &ctx->t[2], ctx->tmp);
        if (err == MP_OKAY) {
            XMEMCPY((void*)(((size_t)&ctx->t[0] & addr_mask[ctx->y^1]) +
                            ((size_t)&ctx->t[1] & addr_mask[ctx->y])), &ctx->t[2],
                    sizeof(sp_point_1024));
            ctx->state = 4;
            ctx->c--;
        }
        break;
    case 7: /* MAP */
        if (map != 0) {
            sp_1024_map_18(r, &ctx->t[0], ctx->tmp);
        }
        else {
            XMEMCPY(r, &ctx->t[0], sizeof(sp_point_1024));
        }
        err = MP_OKAY;
        break;
    }

    if (err == MP_OKAY && ctx->state != 7) {
        err = FP_WOULDBLOCK;
    }
    if (err != FP_WOULDBLOCK) {
        ForceZero(ctx->tmp, sizeof(ctx->tmp));
        ForceZero(ctx->t, sizeof(ctx->t));
    }

    (void)heap;

    return err;
}

#endif /* WOLFSSL_SP_NONBLOCK */

#else
/* A table entry for pre-computed points. */
typedef struct sp_table_entry_1024 {
    sp_digit x[18];
    sp_digit y[18];
} sp_table_entry_1024;

/* Conditionally copy a into r using the mask m.
 * m is -1 to copy and 0 when not.
 *
 * r  A single precision number to copy over.
 * a  A single precision number to copy.
 * m  Mask value to apply.
 */
static void sp_1024_cond_copy_18(sp_digit* r, const sp_digit* a, const sp_digit m)
{
    sp_digit t[18];
#ifdef WOLFSSL_SP_SMALL
    int i;

    for (i = 0; i < 18; i++) {
        t[i] = r[i] ^ a[i];
    }
    for (i = 0; i < 18; i++) {
        r[i] ^= t[i] & m;
    }
#else
    t[ 0] = r[ 0] ^ a[ 0];
    t[ 1] = r[ 1] ^ a[ 1];
    t[ 2] = r[ 2] ^ a[ 2];
    t[ 3] = r[ 3] ^ a[ 3];
    t[ 4] = r[ 4] ^ a[ 4];
    t[ 5] = r[ 5] ^ a[ 5];
    t[ 6] = r[ 6] ^ a[ 6];
    t[ 7] = r[ 7] ^ a[ 7];
    t[ 8] = r[ 8] ^ a[ 8];
    t[ 9] = r[ 9] ^ a[ 9];
    t[10] = r[10] ^ a[10];
    t[11] = r[11] ^ a[11];
    t[12] = r[12] ^ a[12];
    t[13] = r[13] ^ a[13];
    t[14] = r[14] ^ a[14];
    t[15] = r[15] ^ a[15];
    t[16] = r[16] ^ a[16];
    t[17] = r[17] ^ a[17];
    r[ 0] ^= t[ 0] & m;
    r[ 1] ^= t[ 1] & m;
    r[ 2] ^= t[ 2] & m;
    r[ 3] ^= t[ 3] & m;
    r[ 4] ^= t[ 4] & m;
    r[ 5] ^= t[ 5] & m;
    r[ 6] ^= t[ 6] & m;
    r[ 7] ^= t[ 7] & m;
    r[ 8] ^= t[ 8] & m;
    r[ 9] ^= t[ 9] & m;
    r[10] ^= t[10] & m;
    r[11] ^= t[11] & m;
    r[12] ^= t[12] & m;
    r[13] ^= t[13] & m;
    r[14] ^= t[14] & m;
    r[15] ^= t[15] & m;
    r[16] ^= t[16] & m;
    r[17] ^= t[17] & m;
#endif /* WOLFSSL_SP_SMALL */
}

/* Double the Montgomery form projective point p a number of times.
 *
 * r  Result of repeated doubling of point.
 * p  Point to double.
 * n  Number of times to double
 * t  Temporary ordinate data.
 */
static void sp_1024_proj_point_dbl_n_18(sp_point_1024* p, int i,
    sp_digit* t)
{
    sp_digit* w = t;
    sp_digit* a = t + 2*18;
    sp_digit* b = t + 4*18;
    sp_digit* t1 = t + 6*18;
    sp_digit* t2 = t + 8*18;
    sp_digit* x;
    sp_digit* y;
    sp_digit* z;
    volatile int n = i;

    x = p->x;
    y = p->y;
    z = p->z;

    /* Y = 2*Y */
    sp_1024_mont_dbl_18(y, y, p1024_mod);
    /* W = Z^4 */
    sp_1024_mont_sqr_18(w, z, p1024_mod, p1024_mp_mod);
    sp_1024_mont_sqr_18(w, w, p1024_mod, p1024_mp_mod);
#ifndef WOLFSSL_SP_SMALL
    while (--n > 0)
#else
    while (--n >= 0)
#endif
    {
        /* A = 3*(X^2 - W) */
        sp_1024_mont_sqr_18(t1, x, p1024_mod, p1024_mp_mod);
        sp_1024_mont_sub_18(t1, t1, w, p1024_mod);
        sp_1024_mont_tpl_18(a, t1, p1024_mod);
        /* B = X*Y^2 */
        sp_1024_mont_sqr_18(t1, y, p1024_mod, p1024_mp_mod);
        sp_1024_mont_mul_18(b, t1, x, p1024_mod, p1024_mp_mod);
        /* X = A^2 - 2B */
        sp_1024_mont_sqr_18(x, a, p1024_mod, p1024_mp_mod);
        sp_1024_mont_dbl_18(t2, b, p1024_mod);
        sp_1024_mont_sub_18(x, x, t2, p1024_mod);
        /* B = 2.(B - X) */
        sp_1024_mont_sub_18(t2, b, x, p1024_mod);
        sp_1024_mont_dbl_18(b, t2, p1024_mod);
        /* Z = Z*Y */
        sp_1024_mont_mul_18(z, z, y, p1024_mod, p1024_mp_mod);
        /* t1 = Y^4 */
        sp_1024_mont_sqr_18(t1, t1, p1024_mod, p1024_mp_mod);
#ifdef WOLFSSL_SP_SMALL
        if (n != 0)
#endif
        {
            /* W = W*Y^4 */
            sp_1024_mont_mul_18(w, w, t1, p1024_mod, p1024_mp_mod);
        }
        /* y = 2*A*(B - X) - Y^4 */
        sp_1024_mont_mul_18(y, b, a, p1024_mod, p1024_mp_mod);
        sp_1024_mont_sub_18(y, y, t1, p1024_mod);
    }
#ifndef WOLFSSL_SP_SMALL
    /* A = 3*(X^2 - W) */
    sp_1024_mont_sqr_18(t1, x, p1024_mod, p1024_mp_mod);
    sp_1024_mont_sub_18(t1, t1, w, p1024_mod);
    sp_1024_mont_tpl_18(a, t1, p1024_mod);
    /* B = X*Y^2 */
    sp_1024_mont_sqr_18(t1, y, p1024_mod, p1024_mp_mod);
    sp_1024_mont_mul_18(b, t1, x, p1024_mod, p1024_mp_mod);
    /* X = A^2 - 2B */
    sp_1024_mont_sqr_18(x, a, p1024_mod, p1024_mp_mod);
    sp_1024_mont_dbl_18(t2, b, p1024_mod);
    sp_1024_mont_sub_18(x, x, t2, p1024_mod);
    /* B = 2.(B - X) */
    sp_1024_mont_sub_18(t2, b, x, p1024_mod);
    sp_1024_mont_dbl_18(b, t2, p1024_mod);
    /* Z = Z*Y */
    sp_1024_mont_mul_18(z, z, y, p1024_mod, p1024_mp_mod);
    /* t1 = Y^4 */
    sp_1024_mont_sqr_18(t1, t1, p1024_mod, p1024_mp_mod);
    /* y = 2*A*(B - X) - Y^4 */
    sp_1024_mont_mul_18(y, b, a, p1024_mod, p1024_mp_mod);
    sp_1024_mont_sub_18(y, y, t1, p1024_mod);
#endif /* WOLFSSL_SP_SMALL */
    /* Y = Y/2 */
    sp_1024_mont_div2_18(y, y, p1024_mod);
}

/* Double the Montgomery form projective point p a number of times.
 *
 * r  Result of repeated doubling of point.
 * p  Point to double.
 * n  Number of times to double
 * t  Temporary ordinate data.
 */
static void sp_1024_proj_point_dbl_n_store_18(sp_point_1024* r,
        const sp_point_1024* p, int n, int m, sp_digit* t)
{
    sp_digit* w = t;
    sp_digit* a = t + 2*18;
    sp_digit* b = t + 4*18;
    sp_digit* t1 = t + 6*18;
    sp_digit* t2 = t + 8*18;
    sp_digit* x = r[2*m].x;
    sp_digit* y = r[(1<<n)*m].y;
    sp_digit* z = r[2*m].z;
    int i;
    int j;

    for (i=0; i<18; i++) {
        x[i] = p->x[i];
    }
    for (i=0; i<18; i++) {
        y[i] = p->y[i];
    }
    for (i=0; i<18; i++) {
        z[i] = p->z[i];
    }

    /* Y = 2*Y */
    sp_1024_mont_dbl_18(y, y, p1024_mod);
    /* W = Z^4 */
    sp_1024_mont_sqr_18(w, z, p1024_mod, p1024_mp_mod);
    sp_1024_mont_sqr_18(w, w, p1024_mod, p1024_mp_mod);
    j = m;
    for (i=1; i<=n; i++) {
        j *= 2;

        /* A = 3*(X^2 - W) */
        sp_1024_mont_sqr_18(t1, x, p1024_mod, p1024_mp_mod);
        sp_1024_mont_sub_18(t1, t1, w, p1024_mod);
        sp_1024_mont_tpl_18(a, t1, p1024_mod);
        /* B = X*Y^2 */
        sp_1024_mont_sqr_18(t1, y, p1024_mod, p1024_mp_mod);
        sp_1024_mont_mul_18(b, t1, x, p1024_mod, p1024_mp_mod);
        x = r[j].x;
        /* X = A^2 - 2B */
        sp_1024_mont_sqr_18(x, a, p1024_mod, p1024_mp_mod);
        sp_1024_mont_dbl_18(t2, b, p1024_mod);
        sp_1024_mont_sub_18(x, x, t2, p1024_mod);
        /* B = 2.(B - X) */
        sp_1024_mont_sub_18(t2, b, x, p1024_mod);
        sp_1024_mont_dbl_18(b, t2, p1024_mod);
        /* Z = Z*Y */
        sp_1024_mont_mul_18(r[j].z, z, y, p1024_mod, p1024_mp_mod);
        z = r[j].z;
        /* t1 = Y^4 */
        sp_1024_mont_sqr_18(t1, t1, p1024_mod, p1024_mp_mod);
        if (i != n) {
            /* W = W*Y^4 */
            sp_1024_mont_mul_18(w, w, t1, p1024_mod, p1024_mp_mod);
        }
        /* y = 2*A*(B - X) - Y^4 */
        sp_1024_mont_mul_18(y, b, a, p1024_mod, p1024_mp_mod);
        sp_1024_mont_sub_18(y, y, t1, p1024_mod);
        /* Y = Y/2 */
        sp_1024_mont_div2_18(r[j].y, y, p1024_mod);
        r[j].infinity = 0;
    }
}

/* Add two Montgomery form projective points.
 *
 * ra  Result of addition.
 * rs  Result of subtraction.
 * p   First point to add.
 * q   Second point to add.
 * t   Temporary ordinate data.
 */
static void sp_1024_proj_point_add_sub_18(sp_point_1024* ra,
        sp_point_1024* rs, const sp_point_1024* p, const sp_point_1024* q,
        sp_digit* t)
{
    sp_digit* t1 = t;
    sp_digit* t2 = t + 2*18;
    sp_digit* t3 = t + 4*18;
    sp_digit* t4 = t + 6*18;
    sp_digit* t5 = t + 8*18;
    sp_digit* t6 = t + 10*18;
    sp_digit* xa = ra->x;
    sp_digit* ya = ra->y;
    sp_digit* za = ra->z;
    sp_digit* xs = rs->x;
    sp_digit* ys = rs->y;
    sp_digit* zs = rs->z;


    XMEMCPY(xa, p->x, sizeof(p->x) / 2);
    XMEMCPY(ya, p->y, sizeof(p->y) / 2);
    XMEMCPY(za, p->z, sizeof(p->z) / 2);
    ra->infinity = 0;
    rs->infinity = 0;

    /* U1 = X1*Z2^2 */
    sp_1024_mont_sqr_18(t1, q->z, p1024_mod, p1024_mp_mod);
    sp_1024_mont_mul_18(t3, t1, q->z, p1024_mod, p1024_mp_mod);
    sp_1024_mont_mul_18(t1, t1, xa, p1024_mod, p1024_mp_mod);
    /* U2 = X2*Z1^2 */
    sp_1024_mont_sqr_18(t2, za, p1024_mod, p1024_mp_mod);
    sp_1024_mont_mul_18(t4, t2, za, p1024_mod, p1024_mp_mod);
    sp_1024_mont_mul_18(t2, t2, q->x, p1024_mod, p1024_mp_mod);
    /* S1 = Y1*Z2^3 */
    sp_1024_mont_mul_18(t3, t3, ya, p1024_mod, p1024_mp_mod);
    /* S2 = Y2*Z1^3 */
    sp_1024_mont_mul_18(t4, t4, q->y, p1024_mod, p1024_mp_mod);
    /* H = U2 - U1 */
    sp_1024_mont_sub_18(t2, t2, t1, p1024_mod);
    /* RS = S2 + S1 */
    sp_1024_mont_add_18(t6, t4, t3, p1024_mod);
    /* R = S2 - S1 */
    sp_1024_mont_sub_18(t4, t4, t3, p1024_mod);
    /* Z3 = H*Z1*Z2 */
    /* ZS = H*Z1*Z2 */
    sp_1024_mont_mul_18(za, za, q->z, p1024_mod, p1024_mp_mod);
    sp_1024_mont_mul_18(za, za, t2, p1024_mod, p1024_mp_mod);
    XMEMCPY(zs, za, sizeof(p->z)/2);
    /* X3 = R^2 - H^3 - 2*U1*H^2 */
    /* XS = RS^2 - H^3 - 2*U1*H^2 */
    sp_1024_mont_sqr_18(xa, t4, p1024_mod, p1024_mp_mod);
    sp_1024_mont_sqr_18(xs, t6, p1024_mod, p1024_mp_mod);
    sp_1024_mont_sqr_18(t5, t2, p1024_mod, p1024_mp_mod);
    sp_1024_mont_mul_18(ya, t1, t5, p1024_mod, p1024_mp_mod);
    sp_1024_mont_mul_18(t5, t5, t2, p1024_mod, p1024_mp_mod);
    sp_1024_mont_sub_18(xa, xa, t5, p1024_mod);
    sp_1024_mont_sub_18(xs, xs, t5, p1024_mod);
    sp_1024_mont_dbl_18(t1, ya, p1024_mod);
    sp_1024_mont_sub_18(xa, xa, t1, p1024_mod);
    sp_1024_mont_sub_18(xs, xs, t1, p1024_mod);
    /* Y3 = R*(U1*H^2 - X3) - S1*H^3 */
    /* YS = -RS*(U1*H^2 - XS) - S1*H^3 */
    sp_1024_mont_sub_18(ys, ya, xs, p1024_mod);
    sp_1024_mont_sub_18(ya, ya, xa, p1024_mod);
    sp_1024_mont_mul_18(ya, ya, t4, p1024_mod, p1024_mp_mod);
    sp_1024_mont_sub_18(t6, p1024_mod, t6, p1024_mod);
    sp_1024_mont_mul_18(ys, ys, t6, p1024_mod, p1024_mp_mod);
    sp_1024_mont_mul_18(t5, t5, t3, p1024_mod, p1024_mp_mod);
    sp_1024_mont_sub_18(ya, ya, t5, p1024_mod);
    sp_1024_mont_sub_18(ys, ys, t5, p1024_mod);
}

/* Structure used to describe recoding of scalar multiplication. */
typedef struct ecc_recode_1024 {
    /* Index into pre-computation table. */
    uint8_t i;
    /* Use the negative of the point. */
    uint8_t neg;
} ecc_recode_1024;

/* The index into pre-computation table to use. */
static const uint8_t recode_index_18_7[130] = {
     0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15,
    16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
    32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
    48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63,
    64, 63, 62, 61, 60, 59, 58, 57, 56, 55, 54, 53, 52, 51, 50, 49,
    48, 47, 46, 45, 44, 43, 42, 41, 40, 39, 38, 37, 36, 35, 34, 33,
    32, 31, 30, 29, 28, 27, 26, 25, 24, 23, 22, 21, 20, 19, 18, 17,
    16, 15, 14, 13, 12, 11, 10,  9,  8,  7,  6,  5,  4,  3,  2,  1,
     0,  1,
};

/* Whether to negate y-ordinate. */
static const uint8_t recode_neg_18_7[130] = {
     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
     0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
     1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,  1,
     0,  0,
};

/* Recode the scalar for multiplication using pre-computed values and
 * subtraction.
 *
 * k  Scalar to multiply by.
 * v  Vector of operations to perform.
 */
static void sp_1024_ecc_recode_7_18(const sp_digit* k, ecc_recode_1024* v)
{
    int i;
    int j;
    uint8_t y;
    int carry = 0;
    int o;
    sp_digit n;

    j = 0;
    n = k[j];
    o = 0;
    for (i=0; i<147; i++) {
        y = (int8_t)n;
        if (o + 7 < 57) {
            y &= 0x7f;
            n >>= 7;
            o += 7;
        }
        else if (o + 7 == 57) {
            n >>= 7;
            if (++j < 18)
                n = k[j];
            o = 0;
        }
        else if (++j < 18) {
            n = k[j];
            y |= (uint8_t)((n << (57 - o)) & 0x7f);
            o -= 50;
            n >>= o;
        }

        y += (uint8_t)carry;
        v[i].i = recode_index_18_7[y];
        v[i].neg = recode_neg_18_7[y];
        carry = (y >> 7) + v[i].neg;
    }
}

/* Multiply the point by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * Window technique of 7 bits. (Add-Sub variation.)
 * Calculate 0..64 times the point. Use function that adds and
 * subtracts the same two points.
 * Recode to add or subtract one of the computed points.
 * Double to push up.
 * NOT a sliding window.
 *
 * r     Resulting point.
 * g     Point to multiply.
 * k     Scalar to multiply by.
 * map   Indicates whether to convert result to affine.
 * ct    Constant time required.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_1024_ecc_mulmod_win_add_sub_18(sp_point_1024* r, const sp_point_1024* g,
        const sp_digit* k, int map, int ct, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_1024* t = NULL;
    sp_digit* tmp = NULL;
#else
    sp_point_1024 t[65+2];
    sp_digit tmp[2 * 18 * 37];
#endif
    sp_point_1024* rt = NULL;
    sp_point_1024* p = NULL;
    sp_digit* negy;
    int i;
    ecc_recode_1024 v[147];
    int err = MP_OKAY;

    /* Constant time used for cache attack resistance implementation. */
    (void)ct;
    (void)heap;

#ifdef WOLFSSL_SP_SMALL_STACK
    t = (sp_point_1024*)XMALLOC(sizeof(sp_point_1024) *
        (65+2), heap, DYNAMIC_TYPE_ECC);
    if (t == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 18 * 37,
                                 heap, DYNAMIC_TYPE_ECC);
        if (tmp == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        rt = t + 65;
        p  = t + 65+1;

        /* t[0] = {0, 0, 1} * norm */
        XMEMSET(&t[0], 0, sizeof(t[0]));
        t[0].infinity = 1;
        /* t[1] = {g->x, g->y, g->z} * norm */
        err = sp_1024_mod_mul_norm_18(t[1].x, g->x, p1024_mod);
    }
    if (err == MP_OKAY) {
        err = sp_1024_mod_mul_norm_18(t[1].y, g->y, p1024_mod);
    }
    if (err == MP_OKAY) {
        err = sp_1024_mod_mul_norm_18(t[1].z, g->z, p1024_mod);
    }

    if (err == MP_OKAY) {
        t[1].infinity = 0;
        /* t[2] ... t[64]  */
        sp_1024_proj_point_dbl_n_store_18(t, &t[ 1], 6, 1, tmp);
        sp_1024_proj_point_add_18(&t[ 3], &t[ 2], &t[ 1], tmp);
        sp_1024_proj_point_dbl_18(&t[ 6], &t[ 3], tmp);
        sp_1024_proj_point_add_sub_18(&t[ 7], &t[ 5], &t[ 6], &t[ 1], tmp);
        sp_1024_proj_point_dbl_18(&t[10], &t[ 5], tmp);
        sp_1024_proj_point_add_sub_18(&t[11], &t[ 9], &t[10], &t[ 1], tmp);
        sp_1024_proj_point_dbl_18(&t[12], &t[ 6], tmp);
        sp_1024_proj_point_dbl_18(&t[14], &t[ 7], tmp);
        sp_1024_proj_point_add_sub_18(&t[15], &t[13], &t[14], &t[ 1], tmp);
        sp_1024_proj_point_dbl_18(&t[18], &t[ 9], tmp);
        sp_1024_proj_point_add_sub_18(&t[19], &t[17], &t[18], &t[ 1], tmp);
        sp_1024_proj_point_dbl_18(&t[20], &t[10], tmp);
        sp_1024_proj_point_dbl_18(&t[22], &t[11], tmp);
        sp_1024_proj_point_add_sub_18(&t[23], &t[21], &t[22], &t[ 1], tmp);
        sp_1024_proj_point_dbl_18(&t[24], &t[12], tmp);
        sp_1024_proj_point_dbl_18(&t[26], &t[13], tmp);
        sp_1024_proj_point_add_sub_18(&t[27], &t[25], &t[26], &t[ 1], tmp);
        sp_1024_proj_point_dbl_18(&t[28], &t[14], tmp);
        sp_1024_proj_point_dbl_18(&t[30], &t[15], tmp);
        sp_1024_proj_point_add_sub_18(&t[31], &t[29], &t[30], &t[ 1], tmp);
        sp_1024_proj_point_dbl_18(&t[34], &t[17], tmp);
        sp_1024_proj_point_add_sub_18(&t[35], &t[33], &t[34], &t[ 1], tmp);
        sp_1024_proj_point_dbl_18(&t[36], &t[18], tmp);
        sp_1024_proj_point_dbl_18(&t[38], &t[19], tmp);
        sp_1024_proj_point_add_sub_18(&t[39], &t[37], &t[38], &t[ 1], tmp);
        sp_1024_proj_point_dbl_18(&t[40], &t[20], tmp);
        sp_1024_proj_point_dbl_18(&t[42], &t[21], tmp);
        sp_1024_proj_point_add_sub_18(&t[43], &t[41], &t[42], &t[ 1], tmp);
        sp_1024_proj_point_dbl_18(&t[44], &t[22], tmp);
        sp_1024_proj_point_dbl_18(&t[46], &t[23], tmp);
        sp_1024_proj_point_add_sub_18(&t[47], &t[45], &t[46], &t[ 1], tmp);
        sp_1024_proj_point_dbl_18(&t[48], &t[24], tmp);
        sp_1024_proj_point_dbl_18(&t[50], &t[25], tmp);
        sp_1024_proj_point_add_sub_18(&t[51], &t[49], &t[50], &t[ 1], tmp);
        sp_1024_proj_point_dbl_18(&t[52], &t[26], tmp);
        sp_1024_proj_point_dbl_18(&t[54], &t[27], tmp);
        sp_1024_proj_point_add_sub_18(&t[55], &t[53], &t[54], &t[ 1], tmp);
        sp_1024_proj_point_dbl_18(&t[56], &t[28], tmp);
        sp_1024_proj_point_dbl_18(&t[58], &t[29], tmp);
        sp_1024_proj_point_add_sub_18(&t[59], &t[57], &t[58], &t[ 1], tmp);
        sp_1024_proj_point_dbl_18(&t[60], &t[30], tmp);
        sp_1024_proj_point_dbl_18(&t[62], &t[31], tmp);
        sp_1024_proj_point_add_sub_18(&t[63], &t[61], &t[62], &t[ 1], tmp);

        negy = t[0].y;

        sp_1024_ecc_recode_7_18(k, v);

        i = 146;
        XMEMCPY(rt, &t[v[i].i], sizeof(sp_point_1024));
        for (--i; i>=0; i--) {
            sp_1024_proj_point_dbl_n_18(rt, 7, tmp);
            XMEMCPY(p, &t[v[i].i], sizeof(sp_point_1024));
            sp_1024_mont_sub_18(negy, p1024_mod, p->y, p1024_mod);
            sp_1024_norm_18(negy);
            sp_1024_cond_copy_18(p->y, negy, (sp_digit)0 - v[i].neg);
            sp_1024_proj_point_add_18(rt, rt, p, tmp);
        }

        if (map != 0) {
            sp_1024_map_18(r, rt, tmp);
        }
        else {
            XMEMCPY(r, rt, sizeof(sp_point_1024));
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t != NULL)
        XFREE(t, heap, DYNAMIC_TYPE_ECC);
    if (tmp != NULL)
        XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#ifdef FP_ECC
#endif /* FP_ECC */
/* Add two Montgomery form projective points. The second point has a q value of
 * one.
 * Only the first point can be the same pointer as the result point.
 *
 * r  Result of addition.
 * p  First point to add.
 * q  Second point to add.
 * t  Temporary ordinate data.
 */
static void sp_1024_proj_point_add_qz1_18(sp_point_1024* r,
    const sp_point_1024* p, const sp_point_1024* q, sp_digit* t)
{
    sp_digit* t2 = t;
    sp_digit* t3 = t + 2*18;
    sp_digit* t6 = t + 4*18;
    sp_digit* t1 = t + 6*18;
    sp_digit* t4 = t + 8*18;
    sp_digit* t5 = t + 10*18;

    /* Calculate values to subtract from P->x and P->y. */
    /* U2 = X2*Z1^2 */
    sp_1024_mont_sqr_18(t2, p->z, p1024_mod, p1024_mp_mod);
    sp_1024_mont_mul_18(t4, t2, p->z, p1024_mod, p1024_mp_mod);
    sp_1024_mont_mul_18(t2, t2, q->x, p1024_mod, p1024_mp_mod);
    /* S2 = Y2*Z1^3 */
    sp_1024_mont_mul_18(t4, t4, q->y, p1024_mod, p1024_mp_mod);

    if ((~p->infinity) & (~q->infinity) &
            sp_1024_cmp_equal_18(p->x, t2) &
            sp_1024_cmp_equal_18(p->y, t4)) {
        sp_1024_proj_point_dbl_18(r, p, t);
    }
    else {
        sp_digit* x = t2;
        sp_digit* y = t3;
        sp_digit* z = t6;

        /* H = U2 - X1 */
        sp_1024_mont_sub_18(t2, t2, p->x, p1024_mod);
        /* R = S2 - Y1 */
        sp_1024_mont_sub_18(t4, t4, p->y, p1024_mod);
        /* Z3 = H*Z1 */
        sp_1024_mont_mul_18(z, p->z, t2, p1024_mod, p1024_mp_mod);
        /* X3 = R^2 - H^3 - 2*X1*H^2 */
        sp_1024_mont_sqr_18(t1, t2, p1024_mod, p1024_mp_mod);
        sp_1024_mont_mul_18(t3, p->x, t1, p1024_mod, p1024_mp_mod);
        sp_1024_mont_mul_18(t1, t1, t2, p1024_mod, p1024_mp_mod);
        sp_1024_mont_sqr_18(t2, t4, p1024_mod, p1024_mp_mod);
        sp_1024_mont_sub_18(t2, t2, t1, p1024_mod);
        sp_1024_mont_dbl_18(t5, t3, p1024_mod);
        sp_1024_mont_sub_18(x, t2, t5, p1024_mod);
        /* Y3 = R*(X1*H^2 - X3) - Y1*H^3 */
        sp_1024_mont_sub_18(t3, t3, x, p1024_mod);
        sp_1024_mont_mul_18(t3, t3, t4, p1024_mod, p1024_mp_mod);
        sp_1024_mont_mul_18(t1, t1, p->y, p1024_mod, p1024_mp_mod);
        sp_1024_mont_sub_18(y, t3, t1, p1024_mod);
        {
            int i;
            sp_digit maskp = 0 - (q->infinity & (!p->infinity));
            sp_digit maskq = 0 - (p->infinity & (!q->infinity));
            sp_digit maskt = ~(maskp | maskq);
            sp_digit inf = (sp_digit)(p->infinity & q->infinity);

            for (i = 0; i < 18; i++) {
                r->x[i] = (p->x[i] & maskp) | (q->x[i] & maskq) |
                          (x[i] & maskt);
            }
            for (i = 0; i < 18; i++) {
                r->y[i] = (p->y[i] & maskp) | (q->y[i] & maskq) |
                          (y[i] & maskt);
            }
            for (i = 0; i < 18; i++) {
                r->z[i] = (p->z[i] & maskp) | (q->z[i] & maskq) |
                          (z[i] & maskt);
            }
            r->z[0] |= inf;
            r->infinity = (word32)inf;
        }
    }
}

#if defined(FP_ECC) || !defined(WOLFSSL_SP_SMALL)
/* Convert the projective point to affine.
 * Ordinates are in Montgomery form.
 *
 * a  Point to convert.
 * t  Temporary data.
 */
static void sp_1024_proj_to_affine_18(sp_point_1024* a, sp_digit* t)
{
    sp_digit* t1 = t;
    sp_digit* t2 = t + 2 * 18;
    sp_digit* tmp = t + 4 * 18;

    sp_1024_mont_inv_18(t1, a->z, tmp);

    sp_1024_mont_sqr_18(t2, t1, p1024_mod, p1024_mp_mod);
    sp_1024_mont_mul_18(t1, t2, t1, p1024_mod, p1024_mp_mod);

    sp_1024_mont_mul_18(a->x, a->x, t2, p1024_mod, p1024_mp_mod);
    sp_1024_mont_mul_18(a->y, a->y, t1, p1024_mod, p1024_mp_mod);
    XMEMCPY(a->z, p1024_norm_mod, sizeof(p1024_norm_mod));
}

/* Generate the pre-computed table of points for the base point.
 *
 * width = 8
 * 256 entries
 * 128 bits between
 *
 * a      The base point.
 * table  Place to store generated point data.
 * tmp    Temporary data.
 * heap  Heap to use for allocation.
 */
static int sp_1024_gen_stripe_table_18(const sp_point_1024* a,
        sp_table_entry_1024* table, sp_digit* tmp, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_1024* t = NULL;
#else
    sp_point_1024 t[3];
#endif
    sp_point_1024* s1 = NULL;
    sp_point_1024* s2 = NULL;
    int i;
    int j;
    int err = MP_OKAY;

    (void)heap;

#ifdef WOLFSSL_SP_SMALL_STACK
    t = (sp_point_1024*)XMALLOC(sizeof(sp_point_1024) * 3, heap,
                                     DYNAMIC_TYPE_ECC);
    if (t == NULL)
        err = MEMORY_E;
#endif

    if (err == MP_OKAY) {
        s1 = t + 1;
        s2 = t + 2;

        err = sp_1024_mod_mul_norm_18(t->x, a->x, p1024_mod);
    }
    if (err == MP_OKAY) {
        err = sp_1024_mod_mul_norm_18(t->y, a->y, p1024_mod);
    }
    if (err == MP_OKAY) {
        err = sp_1024_mod_mul_norm_18(t->z, a->z, p1024_mod);
    }
    if (err == MP_OKAY) {
        t->infinity = 0;
        sp_1024_proj_to_affine_18(t, tmp);

        XMEMCPY(s1->z, p1024_norm_mod, sizeof(p1024_norm_mod));
        s1->infinity = 0;
        XMEMCPY(s2->z, p1024_norm_mod, sizeof(p1024_norm_mod));
        s2->infinity = 0;

        /* table[0] = {0, 0, infinity} */
        XMEMSET(&table[0], 0, sizeof(sp_table_entry_1024));
        /* table[1] = Affine version of 'a' in Montgomery form */
        XMEMCPY(table[1].x, t->x, sizeof(table->x));
        XMEMCPY(table[1].y, t->y, sizeof(table->y));

        for (i=1; i<8; i++) {
            sp_1024_proj_point_dbl_n_18(t, 128, tmp);
            sp_1024_proj_to_affine_18(t, tmp);
            XMEMCPY(table[1<<i].x, t->x, sizeof(table->x));
            XMEMCPY(table[1<<i].y, t->y, sizeof(table->y));
        }

        for (i=1; i<8; i++) {
            XMEMCPY(s1->x, table[1<<i].x, sizeof(table->x));
            XMEMCPY(s1->y, table[1<<i].y, sizeof(table->y));
            for (j=(1<<i)+1; j<(1<<(i+1)); j++) {
                XMEMCPY(s2->x, table[j-(1<<i)].x, sizeof(table->x));
                XMEMCPY(s2->y, table[j-(1<<i)].y, sizeof(table->y));
                sp_1024_proj_point_add_qz1_18(t, s1, s2, tmp);
                sp_1024_proj_to_affine_18(t, tmp);
                XMEMCPY(table[j].x, t->x, sizeof(table->x));
                XMEMCPY(table[j].y, t->y, sizeof(table->y));
            }
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t != NULL)
        XFREE(t, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#endif /* FP_ECC | !WOLFSSL_SP_SMALL */
/* Multiply the point by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * Stripe implementation.
 * Pre-generated: 2^0, 2^128, ...
 * Pre-generated: products of all combinations of above.
 * 8 doubles and adds (with qz=1)
 *
 * r      Resulting point.
 * k      Scalar to multiply by.
 * table  Pre-computed table.
 * map    Indicates whether to convert result to affine.
 * ct     Constant time required.
 * heap   Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_1024_ecc_mulmod_stripe_18(sp_point_1024* r, const sp_point_1024* g,
        const sp_table_entry_1024* table, const sp_digit* k, int map,
        int ct, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_1024* rt = NULL;
    sp_digit* t = NULL;
#else
    sp_point_1024 rt[2];
    sp_digit t[2 * 18 * 37];
#endif
    sp_point_1024* p = NULL;
    int i;
    int j;
    int y;
    int x;
    int err = MP_OKAY;

    (void)g;
    /* Constant time used for cache attack resistance implementation. */
    (void)ct;
    (void)heap;


#ifdef WOLFSSL_SP_SMALL_STACK
    rt = (sp_point_1024*)XMALLOC(sizeof(sp_point_1024) * 2, heap,
                                      DYNAMIC_TYPE_ECC);
    if (rt == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 18 * 37, heap,
                               DYNAMIC_TYPE_ECC);
        if (t == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        p = rt + 1;

        XMEMCPY(p->z, p1024_norm_mod, sizeof(p1024_norm_mod));
        XMEMCPY(rt->z, p1024_norm_mod, sizeof(p1024_norm_mod));

        y = 0;
        x = 127;
        for (j=0; j<8; j++) {
            y |= (int)(((k[x / 57] >> (x % 57)) & 1) << j);
            x += 128;
        }
        XMEMCPY(rt->x, table[y].x, sizeof(table[y].x));
        XMEMCPY(rt->y, table[y].y, sizeof(table[y].y));
        rt->infinity = !y;
        for (i=126; i>=0; i--) {
            y = 0;
            x = i;
            for (j=0; j<8; j++) {
                y |= (int)(((k[x / 57] >> (x % 57)) & 1) << j);
                x += 128;
            }

            sp_1024_proj_point_dbl_18(rt, rt, t);
            XMEMCPY(p->x, table[y].x, sizeof(table[y].x));
            XMEMCPY(p->y, table[y].y, sizeof(table[y].y));
            p->infinity = !y;
            sp_1024_proj_point_add_qz1_18(rt, rt, p, t);
        }

        if (map != 0) {
            sp_1024_map_18(r, rt, t);
        }
        else {
            XMEMCPY(r, rt, sizeof(sp_point_1024));
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t != NULL)
        XFREE(t, heap, DYNAMIC_TYPE_ECC);
    if (rt != NULL)
        XFREE(rt, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#ifdef FP_ECC
#ifndef FP_ENTRIES
    #define FP_ENTRIES 16
#endif

/* Cache entry - holds precomputation tables for a point. */
typedef struct sp_cache_1024_t {
    /* X ordinate of point that table was generated from. */
    sp_digit x[18];
    /* Y ordinate of point that table was generated from. */
    sp_digit y[18];
    /* Precomputation table for point. */
    sp_table_entry_1024 table[256];
    /* Count of entries in table. */
    uint32_t cnt;
    /* Point and table set in entry. */
    int set;
} sp_cache_1024_t;

/* Cache of tables. */
static THREAD_LS_T sp_cache_1024_t sp_cache_1024[FP_ENTRIES];
/* Index of last entry in cache. */
static THREAD_LS_T int sp_cache_1024_last = -1;
/* Cache has been initialized. */
static THREAD_LS_T int sp_cache_1024_inited = 0;

#ifndef HAVE_THREAD_LS
    static volatile int initCacheMutex_1024 = 0;
    static wolfSSL_Mutex sp_cache_1024_lock;
#endif

/* Get the cache entry for the point.
 *
 * g      [in]   Point scalar multiplying.
 * cache  [out]  Cache table to use.
 */
static void sp_ecc_get_cache_1024(const sp_point_1024* g, sp_cache_1024_t** cache)
{
    int i;
    int j;
    uint32_t least;

    if (sp_cache_1024_inited == 0) {
        for (i=0; i<FP_ENTRIES; i++) {
            sp_cache_1024[i].set = 0;
        }
        sp_cache_1024_inited = 1;
    }

    /* Compare point with those in cache. */
    for (i=0; i<FP_ENTRIES; i++) {
        if (!sp_cache_1024[i].set)
            continue;

        if (sp_1024_cmp_equal_18(g->x, sp_cache_1024[i].x) &
                           sp_1024_cmp_equal_18(g->y, sp_cache_1024[i].y)) {
            sp_cache_1024[i].cnt++;
            break;
        }
    }

    /* No match. */
    if (i == FP_ENTRIES) {
        /* Find empty entry. */
        i = (sp_cache_1024_last + 1) % FP_ENTRIES;
        for (; i != sp_cache_1024_last; i=(i+1)%FP_ENTRIES) {
            if (!sp_cache_1024[i].set) {
                break;
            }
        }

        /* Evict least used. */
        if (i == sp_cache_1024_last) {
            least = sp_cache_1024[0].cnt;
            for (j=1; j<FP_ENTRIES; j++) {
                if (sp_cache_1024[j].cnt < least) {
                    i = j;
                    least = sp_cache_1024[i].cnt;
                }
            }
        }

        XMEMCPY(sp_cache_1024[i].x, g->x, sizeof(sp_cache_1024[i].x));
        XMEMCPY(sp_cache_1024[i].y, g->y, sizeof(sp_cache_1024[i].y));
        sp_cache_1024[i].set = 1;
        sp_cache_1024[i].cnt = 1;
    }

    *cache = &sp_cache_1024[i];
    sp_cache_1024_last = i;
}
#endif /* FP_ECC */

/* Multiply the base point of P1024 by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * r     Resulting point.
 * g     Point to multiply.
 * k     Scalar to multiply by.
 * map   Indicates whether to convert result to affine.
 * ct    Constant time required.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_1024_ecc_mulmod_18(sp_point_1024* r, const sp_point_1024* g,
        const sp_digit* k, int map, int ct, void* heap)
{
#ifndef FP_ECC
    return sp_1024_ecc_mulmod_win_add_sub_18(r, g, k, map, ct, heap);
#else
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* tmp;
#else
    sp_digit tmp[2 * 18 * 38];
#endif
    sp_cache_1024_t* cache;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    tmp = (sp_digit*)XMALLOC(sizeof(sp_digit) * 2 * 18 * 38, heap, DYNAMIC_TYPE_ECC);
    if (tmp == NULL) {
        err = MEMORY_E;
    }
#endif
#ifndef HAVE_THREAD_LS
    if (err == MP_OKAY) {
        if (initCacheMutex_1024 == 0) {
            wc_InitMutex(&sp_cache_1024_lock);
            initCacheMutex_1024 = 1;
        }
        if (wc_LockMutex(&sp_cache_1024_lock) != 0) {
            err = BAD_MUTEX_E;
        }
    }
#endif /* HAVE_THREAD_LS */

    if (err == MP_OKAY) {
        sp_ecc_get_cache_1024(g, &cache);
        if (cache->cnt == 2)
            sp_1024_gen_stripe_table_18(g, cache->table, tmp, heap);

#ifndef HAVE_THREAD_LS
        wc_UnLockMutex(&sp_cache_1024_lock);
#endif /* HAVE_THREAD_LS */

        if (cache->cnt < 2) {
            err = sp_1024_ecc_mulmod_win_add_sub_18(r, g, k, map, ct, heap);
        }
        else {
            err = sp_1024_ecc_mulmod_stripe_18(r, g, cache->table, k,
                    map, ct, heap);
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    XFREE(tmp, heap, DYNAMIC_TYPE_ECC);
#endif
    return err;
#endif
}

#endif
/* Multiply the point by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * km    Scalar to multiply by.
 * p     Point to multiply.
 * r     Resulting point.
 * map   Indicates whether to convert result to affine.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_mulmod_1024(const mp_int* km, const ecc_point* gm, ecc_point* r,
        int map, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_1024* point = NULL;
    sp_digit* k = NULL;
#else
    sp_point_1024 point[1];
    sp_digit k[18];
#endif
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    point = (sp_point_1024*)XMALLOC(sizeof(sp_point_1024), heap,
                                         DYNAMIC_TYPE_ECC);
    if (point == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 18, heap,
                               DYNAMIC_TYPE_ECC);
        if (k == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        sp_1024_from_mp(k, 18, km);
        sp_1024_point_from_ecc_point_18(point, gm);

            err = sp_1024_ecc_mulmod_18(point, point, k, map, 1, heap);
    }
    if (err == MP_OKAY) {
        err = sp_1024_point_to_ecc_point_18(point, r);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (k != NULL)
        XFREE(k, heap, DYNAMIC_TYPE_ECC);
    if (point != NULL)
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#ifdef WOLFSSL_SP_SMALL
/* Multiply the base point of P1024 by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * r     Resulting point.
 * k     Scalar to multiply by.
 * map   Indicates whether to convert result to affine.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_1024_ecc_mulmod_base_18(sp_point_1024* r, const sp_digit* k,
        int map, int ct, void* heap)
{
    /* No pre-computed values. */
    return sp_1024_ecc_mulmod_18(r, &p1024_base, k, map, ct, heap);
}

#ifdef WOLFSSL_SP_NONBLOCK
static int sp_1024_ecc_mulmod_base_18_nb(sp_ecc_ctx_t* sp_ctx, sp_point_1024* r,
        const sp_digit* k, int map, int ct, void* heap)
{
    /* No pre-computed values. */
    return sp_1024_ecc_mulmod_18_nb(sp_ctx, r, &p1024_base, k, map, ct, heap);
}
#endif /* WOLFSSL_SP_NONBLOCK */


#else
/* Striping precomputation table.
 * 8 points combined into a table of 256 points.
 * Distance of 128 between points.
 */
static const sp_table_entry_1024 p1024_table[256] = {
    /* 0 */
    { { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
      { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } },
    /* 1 */
    { { 0x19c7ec6e0162bc2L,0x0637188544944dfL,0x17c27926760777bL,
        0x10da6b0430bab33L,0x10c5f8db9a96ea2L,0x1ae83300d763e9bL,
        0x15fe39cb9265633L,0x0b585ce52fa7d23L,0x18621db92da9f2fL,
        0x1936433ad2b3cf6L,0x0e177cb15aab052L,0x09a98d427f32466L,
        0x13ffa8ec11b88e7L,0x0f9fcff7890a58bL,0x19ed13a80e1a89cL,
        0x0692d7b36369d81L,0x00bafe528dceecdL,0x046fffcb50e24fcL },
      { 0x0a4753ac03c0c83L,0x14e8c55e6e6badaL,0x0e23ddd6d925a39L,
        0x157eb1e6a5c7073L,0x1d0bc15c803f949L,0x194c612fb8133cdL,
        0x05dba16fd745a3fL,0x1687edd7b318d8fL,0x120618af445e3e1L,
        0x1eaacc72a732049L,0x1ca0ed413fb6799L,0x17fae1b0ea2f608L,
        0x1f3f5addbe450caL,0x1c65a66523eb145L,0x071242000dfbcc1L,
        0x1b06e9c291a78d6L,0x1f3e256d3294fcfL,0x01550903def1e00L } },
    /* 2 */
    { { 0x15b6dae01900955L,0x04e60e75a32b6d4L,0x041f9cbfa56e977L,
        0x0f40818668a18f1L,0x1952ea6ea1ae544L,0x04b982c88c89b83L,
        0x1443d53fdcd0db4L,0x0e149b600e97b49L,0x0fd5306f1916440L,
        0x05cff39c5922916L,0x036b59e127dd885L,0x143161b9a5c828dL,
        0x015e1ad49287b29L,0x0ddd150d56ebf8dL,0x088cde66b18ea07L,
        0x07790026f38b702L,0x161f402b2f0b0e5L,0x0461f593f85f89dL },
      { 0x04ad3e1e513696fL,0x05d2e0c640ffd4dL,0x04d8f00cf44c0d4L,
        0x022f4a63783c5f8L,0x1aed610d53da6e7L,0x0ffab3a17632480L,
        0x144ab4cfa37dfa6L,0x1d7c955ae7c7bddL,0x0d983b465180f4dL,
        0x09b2934a817985aL,0x1e66aea24635fe6L,0x096ce01f8f34fc4L,
        0x1640bfd8c20ffe8L,0x0e9320debda2006L,0x098872f0e887485L,
        0x03d06f307288586L,0x110ace6500bb140L,0x03dfa0b1f128e21L } },
    /* 3 */
    { { 0x0174f88e3fd589eL,0x00bc86fcba5018eL,0x0f8cf9c1527f6d4L,
        0x1e2b249e69a12c4L,0x19b65ac58d091efL,0x14e167f77bce56fL,
        0x00af34b310988fdL,0x1bb02fb2064a59bL,0x1acf4f4d9a5f1ddL,
        0x030931aa808db5eL,0x112434bb4503274L,0x1d189b6d0da53eeL,
        0x16776b0fcc64092L,0x0f8b575b112f778L,0x0ef60a83a3007a7L,
        0x1c66ec506ce8309L,0x107757574e28956L,0x04c38f6e3382d3fL },
      { 0x10b76d5776535f7L,0x06b01131ad9dc5eL,0x0b667485bd91485L,
        0x0eaa2b7eeb8184bL,0x1e9f1675fd4df3aL,0x1439f3925312de2L,
        0x17128f0d7bedd01L,0x115deb93467765cL,0x1a971b35e806b19L,
        0x1ae0652d1e34876L,0x17762638788d067L,0x199d2ab5b3c951aL,
        0x07248d34164cecbL,0x02e057b71767a20L,0x1e03ffc6aece045L,
        0x1daae7e97dd0438L,0x1add14df768c272L,0x01cbf68851b8b1bL } },
    /* 4 */
    { { 0x13e0bb2755c2a27L,0x1217cacac2e2267L,0x183c64a179834e3L,
        0x00ec4e7a1e8d627L,0x193c569ac3ecd0cL,0x08c0c53c0078428L,
        0x0d8efc139d2ad0dL,0x1fd24b15471092cL,0x08456617cb8c894L,
        0x1e31555157cb4d0L,0x08a02d6919a3662L,0x0b1d5325e9f4cd8L,
        0x193f401e99bc9dfL,0x0261c6072ed85beL,0x137dacf81853f87L,
        0x16c31aa622a3859L,0x0a41c7575ece143L,0x020123cc2efc9ccL },
      { 0x1a251788f055746L,0x100200558f3707dL,0x13eeb0a49a5f16eL,
        0x12b69e8e81c3632L,0x1bb7ba547715211L,0x109cd2128048e84L,
        0x0a9f9e99d2186e6L,0x1dd75082767e6a7L,0x0afe771922443ceL,
        0x023469b1c23dde8L,0x1e7fd8f69250b45L,0x0383a84b68acc3eL,
        0x0d75ff46301563aL,0x159401649e1387eL,0x171c011081c8243L,
        0x05ce8d1e19b9790L,0x180ca4372fbfa03L,0x00d37e8f3645bceL } },
    /* 5 */
    { { 0x07a901a8d5116a3L,0x021ca597afa3fcbL,0x114983aebcec2e1L,
        0x0ec199f819c735aL,0x0c3f53f21e1be61L,0x088ddb5603f1e96L,
        0x0c30b760e38387bL,0x1708a8ea60e382bL,0x170dd4748920fe5L,
        0x1105f16f238c4b6L,0x1eb629649db1f06L,0x1987910ddc0e787L,
        0x176e831ac4026a1L,0x16280eb2cfedb79L,0x16a15d09a8d746aL,
        0x069ca15d3120a81L,0x15065dde0a4abd7L,0x014dbea6e0ab0a3L },
      { 0x0b3c2cbcbf4e20bL,0x1aa47ac662262a2L,0x0d516c32b07c70fL,
        0x0a01f00c4273013L,0x066905e00c0f02bL,0x080c4673095c480L,
        0x1daca3c563b5e0dL,0x1c1803b88b07eaaL,0x129803272a45492L,
        0x1d2b11d07fc9221L,0x08ac00a7437105dL,0x08b24f01d0f5a25L,
        0x030d53f272b4125L,0x12180f468f5e7c8L,0x1f41e62eb9ba900L,
        0x024d83cbe7e5f46L,0x17e9342c31022b4L,0x02e84940129c124L } },
    /* 6 */
    { { 0x03a2b7eff2f780dL,0x134106bebb58eacL,0x011e1bdd2bb0d34L,
        0x0421047fd7c7865L,0x1b5e7bf40fd4221L,0x147c66913f20bf7L,
        0x0efb1443526da95L,0x16ea779cfac2f03L,0x19cfe3f222f3718L,
        0x1a2744fecef360fL,0x1154fcfeb26d55fL,0x108dcde60179e39L,
        0x029f0ae6b19d2d0L,0x125c5df04bb6415L,0x0e96a9f98f6fd78L,
        0x0678e9958fe8b2eL,0x05dc6eb623784ddL,0x00513721a0a17f7L },
      { 0x081339facaa9a08L,0x18882a9237670c0L,0x05c184e4dd1d03cL,
        0x06485e05c312590L,0x1b5de98a8d8d410L,0x1df4a92415fe901L,
        0x0092627be51ad6aL,0x0f571a431726ed3L,0x1d5268e8966617cL,
        0x1173aa8c5be95c8L,0x11e5cffa359f0e5L,0x0a145602f8a258bL,
        0x1cc1a2946942e31L,0x098e3841b7a72f5L,0x1ee79428e644339L,
        0x015a15e9edd696eL,0x0ec68cbb175da12L,0x00ca4be30dc931bL } },
    /* 7 */
    { { 0x120b0c6417659a8L,0x15ce3c965947fb4L,0x0602da1de5ff1deL,
        0x03ceeb26c6ab6ceL,0x1561b1864caf58cL,0x07a4a328aadedb2L,
        0x02c80b9938d55e0L,0x0c1d615936e4535L,0x188594d782571bdL,
        0x0e6049cf1fd3c7cL,0x0d20c0ab0b4de57L,0x1ec1721e2888f71L,
        0x013ce4b3c1505fbL,0x0acdae0c5630874L,0x1a80888e693c9ebL,
        0x038f6bf4672e6f9L,0x1a6e578730b8dffL,0x04b5c8dc5a8bdfbL },
      { 0x1a991f49aac087cL,0x17ba7367ed946e0L,0x1e697dd8035b398L,
        0x09f22ff39211adfL,0x1de52dbfd781cd0L,0x0b90c03bcb7afb1L,
        0x04df79f6d9380bbL,0x02c1e10edecdf48L,0x13271ee643ca1f7L,
        0x1cd902c3e255c51L,0x05c41ce520411f2L,0x121ab318b86f974L,
        0x0a6f20e125df9a1L,0x1a794816865b739L,0x18b73ee8c508813L,
        0x186a285a51972f9L,0x09ddf261b8aa3d3L,0x039f9e98ae7fe12L } },
    /* 8 */
    { { 0x186855be6fd3673L,0x1b857ce90a5bdaeL,0x1e437311b34cc26L,
        0x0ab2aa21bd1a665L,0x18c1251ce553c01L,0x060de4aba3504b1L,
        0x0ea3f35f3a96e17L,0x0f89ff428d0005dL,0x110a3cb7022fcd7L,
        0x14ccefde27502f1L,0x1683413be9d5badL,0x0f3db9dabfb066eL,
        0x03251fd56e4d902L,0x015262f8a40c920L,0x0d0416fa1d8ce92L,
        0x1caf062e1a26036L,0x1fa93998b0f7247L,0x04449a7b221b5d0L },
      { 0x09f43b04713eabcL,0x1eec8d666e28bf8L,0x18efbc4f29f1329L,
        0x144b1030964fb54L,0x195dc2698b2e5a7L,0x1978a605465b096L,
        0x04d70d1a5d68b87L,0x1c63e5371dbc2e5L,0x0c3cbfd6ed40bc1L,
        0x1fa359f899311edL,0x16f9b7ec2dda074L,0x068aadb48689822L,
        0x18a8e43d985e31cL,0x05eeda7553e31f8L,0x153d631572c820dL,
        0x0d3b362d4187094L,0x0e174eacca246fdL,0x0068c4c5d8a9aa4L } },
    /* 9 */
    { { 0x0a73461e35ef043L,0x1b3ec9a4b5ab227L,0x1cef43e0e8f041eL,
        0x10a3a5386bac582L,0x11b1c1a4fad4b03L,0x1a1dcf1fa144153L,
        0x1d50d74af3d9952L,0x1838ef62b54557bL,0x15cb38a80dabe3dL,
        0x0fed0575240b39dL,0x05ad379ee43af85L,0x1c4a5791e7b10d3L,
        0x1637c4e42484f87L,0x0bd3d7ec56f681eL,0x132e4eb97b7999bL,
        0x1472301bb2b4543L,0x060a55cfd2546fbL,0x015ed58ee237c17L },
      { 0x04de22bfa6fed61L,0x0c552e646eca73dL,0x17c41c488bd7291L,
        0x1fcb5fe6ee7c6e5L,0x0a738e6d06a4b44L,0x18f89b5e1685d3aL,
        0x0a444691c38757cL,0x10aefff2675c205L,0x08b380a50310c78L,
        0x19e01143c1fe2d6L,0x1a249511c9741a7L,0x1c2cb5908443d8cL,
        0x0fcfda6e8a878f0L,0x1c66955d4d1d78dL,0x1b43ab8060fb4ddL,
        0x0c82a659b7ac104L,0x120b3234661cbeeL,0x01a9f5c495ce080L } },
    /* 10 */
    { { 0x0fdcad610b5521eL,0x0da202973817864L,0x00363ff69270684L,
        0x1597e6d75ac604dL,0x0c10a2d7cdb9654L,0x1873f03dac6708aL,
        0x0a04c79747df798L,0x0ff197c7afacec1L,0x1eb35866b6480d7L,
        0x0394679bf81b10cL,0x0197b50aa29d5d6L,0x1e3b20d450e1babL,
        0x04a51f906b283f1L,0x0a1d90543cf11fdL,0x079dd53cab1ba0dL,
        0x02ddc9e16c6f370L,0x07d57fbc0d48400L,0x046d103b8f310dbL },
      { 0x0855004ecce65ecL,0x0868fdba40c2f1eL,0x0f29e1e5eb49db4L,
        0x00efca955ac97cfL,0x1e0df0ff43444dbL,0x0843520bdb5864dL,
        0x1568e3f1095b015L,0x171f2a58877fae9L,0x0501e005a01c4edL,
        0x08b96fe252bf194L,0x0339394d75bb8f5L,0x1cb818ca1231b68L,
        0x07857561fcbaef1L,0x1a5112637428a2fL,0x103828b91a14da8L,
        0x007f8d351c44e1dL,0x15fb3f52247242bL,0x04317aaf161df5eL } },
    /* 11 */
    { { 0x16a390f226049feL,0x152bc6e5de4fd96L,0x12925d8d3edf324L,
        0x0c7bd4b1274a5fdL,0x0a49e9162b340cbL,0x0f20f9d1cf99c51L,
        0x1f9009acb7cf652L,0x1458e38f9b60cb4L,0x04a9b84a0468281L,
        0x1f75a81b98f7765L,0x0244d1db2edc958L,0x13537294cf19cdaL,
        0x1b808fd9f10cf97L,0x1057e2dcda26c61L,0x096f9a79836984fL,
        0x1ce9ea5b9cfbc7dL,0x1903a5d6864dc1eL,0x038d594489de403L },
      { 0x1618fc43b5b60adL,0x1af18250618c267L,0x0732f100cc082beL,
        0x07b63818cda4470L,0x06112a8d33cf895L,0x0b3d434e4ca726dL,
        0x134a75eab8b0f46L,0x1f7851aa926b6f5L,0x18075bd136c9a57L,
        0x0e01b9f4e4213fcL,0x12863464c897d72L,0x1a2688580318597L,
        0x07fbb3a72773777L,0x0cb16e0c75f2f6aL,0x1022019c10df524L,
        0x1e6b9e7383c125bL,0x06503e9c6f715ffL,0x046843ddb2f1b05L } },
    /* 12 */
    { { 0x02123023fdc1844L,0x113f7882f562b5fL,0x181bc5a28d21bb2L,
        0x1bc3af499643074L,0x1ef5d43e295f807L,0x1812e3b92353193L,
        0x138fab850c8171dL,0x0ea97bf8f95e690L,0x0ec939895df52c0L,
        0x1732afb6bd4e560L,0x17f8822ebb76c20L,0x0fc8a4fbce6330bL,
        0x1c313de1ea79c81L,0x0627b65d986707dL,0x0ec833677e56e27L,
        0x1f603e55dbe3debL,0x1ecfc1e0a891a8cL,0x0112f69a531f6dbL },
      { 0x013154dbabb1a85L,0x06d738f352b2d1fL,0x155aad2c403f4f6L,
        0x1dd78f1c35a642fL,0x08e73d37d44d934L,0x0f21e5810a990daL,
        0x02416ef242fe880L,0x1427847e3a04ea0L,0x02a2e5000c86691L,
        0x0595d693032c20eL,0x1072bcc009ad802L,0x05e8a4ed9cc22baL,
        0x0715932ffb1712cL,0x153a657900e261fL,0x014de91e25384f5L,
        0x192fc05adebbe18L,0x07ba8fb7602c2b1L,0x03095b072e8443eL } },
    /* 13 */
    { { 0x1d495cfba245d6bL,0x065dbd1671ffb77L,0x0b037fd7fbb973cL,
        0x119e518d4649b45L,0x0308a56b90c914fL,0x0b901a397eda86aL,
        0x127a40f6fdde44fL,0x1039f4bd9230455L,0x10dde73c83aea3eL,
        0x02dd4b13314489cL,0x1d922f29ab2f4d5L,0x0edd3140d0754a5L,
        0x0ca378ed52ff6f2L,0x042d60ec929b69dL,0x0f2129cd4f0b152L,
        0x082cf95fea5b401L,0x06e3971f81c3768L,0x007b99a70e96bccL },
      { 0x1bb5c836596067eL,0x0a70c9c60cc0357L,0x059ce72c3730cf9L,
        0x1a84806bf3050bbL,0x1fef90952b53f43L,0x07ab8d1c6298fc6L,
        0x09e1e43efa3936cL,0x04134183da54739L,0x02fecc1d6606f26L,
        0x0e44858b95be5a5L,0x129bef32ede1a27L,0x0105fce7dc93867L,
        0x17fcb66c48d1b11L,0x0370a2b9ac85be8L,0x0fab6164d5ac29aL,
        0x061f6ebad05880aL,0x149b2ae55fac54dL,0x033b1b5397c5774L } },
    /* 14 */
    { { 0x18063bcb91d6beaL,0x11d17491f65cb31L,0x064b189eb29ab89L,
        0x14ef5f3cfd3af61L,0x04aafebbc6ed001L,0x02ad48490a56679L,
        0x126768d592e59e0L,0x14a01333639c04eL,0x1e413a4e1e46a06L,
        0x02e89fb1728f7f3L,0x01f4d26ea10efa8L,0x104a63062b3c6bdL,
        0x1a546019230a633L,0x1bfe8e793011f45L,0x1cbf54e6c41dc86L,
        0x15e708d6aa857fbL,0x165b314f4f81c18L,0x00437cc3b305644L },
      { 0x07019548cbb9850L,0x05b98510696463bL,0x015d4cd59c31884L,
        0x0a064975d48109aL,0x076ee9b43ecdc59L,0x07fd32303fe2f96L,
        0x118f3ce4f403d10L,0x1cfc0222f2c5b82L,0x0f00b82519c7725L,
        0x0f3039b2de8e8c3L,0x015530b3dcaab0dL,0x1fbddf4692fbe7bL,
        0x0cf646ad11b4dd0L,0x0fbdc756eb89134L,0x01b7f941f082beeL,
        0x0a934c612d3a9f8L,0x01076b7df1c7245L,0x0340fca01f30d74L } },
    /* 15 */
    { { 0x0ad5163c9a0623bL,0x014abb3fd5c6a3eL,0x03b206bdf1f36feL,
        0x11d2cdab8459956L,0x10d4e41c469e38cL,0x159ace1a2186a97L,
        0x0049d0981d68a94L,0x082485ba7c6677aL,0x0cda3f6359fed23L,
        0x0f99b986bea97fdL,0x1d5bc1d9030fbd3L,0x0438377bcaf8bffL,
        0x0aeb8bb3364783cL,0x15684202ec3c251L,0x0d8af507b1f14cfL,
        0x1a95e96fe2847f3L,0x10a5543145c7075L,0x0064ef4a55d302cL },
      { 0x0d7273595d5682bL,0x0214197613b76c7L,0x1b562cda8349c47L,
        0x090931511fa3e95L,0x0480f45162ab40cL,0x0e7ff12c647e312L,
        0x0d6762f23292edeL,0x0bb2156b078e034L,0x0aee31a733fd5d1L,
        0x152acbde489199eL,0x072b92db0f8f080L,0x085853270110203L,
        0x1df47c8199e5130L,0x195007490700141L,0x1d6b8ee435a3963L,
        0x06164d3c5be834eL,0x196b8d2eca5871cL,0x0399ee5075d8ef1L } },
    /* 16 */
    { { 0x1b495d04b59213aL,0x1901cc6b810077aL,0x0698ad9dc707299L,
        0x08573d619697961L,0x0cdba21226adeedL,0x044868f5aa23aa4L,
        0x11ad0386aff37c2L,0x070a4a132c6d31cL,0x1e1bff0b082e9c1L,
        0x0c4f266a884cd38L,0x0326f326e4731e8L,0x0fb826fd897c46cL,
        0x01d1519f6e9bd4dL,0x07c19281e81ab29L,0x1ba8ad2fd7db5e3L,
        0x06339c86020631bL,0x1d7c3132494ef4cL,0x01559dea3878fd3L },
      { 0x153b680922c9fbbL,0x13ee4078b6368abL,0x04d6eb05bbf21a7L,
        0x0908da3b370688aL,0x12d62c214326a3bL,0x14956ada8bff71dL,
        0x0b04da416be882cL,0x11a54ae2634595bL,0x0cd904d8febdbcaL,
        0x1f6d4379f9b2fd9L,0x1ec82371faa8737L,0x150948bcef80e12L,
        0x0ccf5d118e89a35L,0x0fb74cf420bd031L,0x1e821f4f03012a0L,
        0x055a5888e096174L,0x0296f8a27d13ea2L,0x049d25a0b2613e9L } },
    /* 17 */
    { { 0x0271bc11f1efb7aL,0x1347319fe6606eaL,0x03c6c47d42a2b93L,
        0x1f5e0ec1133b379L,0x043d0e035430398L,0x11ea60a2f1217daL,
        0x0b425cfb09467dbL,0x01f56e1ef217537L,0x0de612ad5f9add1L,
        0x01bf2a70a74a15aL,0x095b4f76e2da2aeL,0x0678358548102ebL,
        0x10f0c80f94e85b2L,0x04c6da7cfc7fb61L,0x09f73752dfcfedeL,
        0x0712b458c089e8bL,0x163f3abb2f6fe3dL,0x01a16706b99773bL },
      { 0x1261394cf491b1fL,0x1776b8c84f1caf5L,0x156a7f936fab72aL,
        0x1a927ac09bb9880L,0x1ce5ebef17a6611L,0x0c4e5add222d1d0L,
        0x0101ba0b8a1638eL,0x0ab72de850507ebL,0x099877b99a156cfL,
        0x1c83533270b3507L,0x074d4eca5db44ebL,0x1e4e6d8c34039d4L,
        0x13b0f55d86efc16L,0x0759a600ed82621L,0x1980a00f2d2c9a6L,
        0x07d8a71a0fef055L,0x12043ac3bcb43beL,0x022afa579f0ab7eL } },
    /* 18 */
    { { 0x057f262754ec21cL,0x06a64f1d0dd1c60L,0x034445b07fa4fabL,
        0x09d599156c74042L,0x0a6f32cae4ea4e9L,0x1cbae718e0064d7L,
        0x087a572d88e761aL,0x116ca9abb19429dL,0x1230d31f45067fcL,
        0x05dc865b1aaff65L,0x007b3b705cba392L,0x01519600ce6ef1fL,
        0x01e162d01228838L,0x02d78a2e0cd8170L,0x0b70d503821e81bL,
        0x180cde09b916f6eL,0x1b7f70ef2148de3L,0x0278a412189804fL },
      { 0x0004fce6e2055e2L,0x123f543619033afL,0x16557e76aa8a278L,
        0x1f9d6fec769d797L,0x063784a0d15f212L,0x1b0128af662e0fcL,
        0x0a5514ece002dd5L,0x033d726038714d4L,0x00f16ba18a13cddL,
        0x189e928c43e1692L,0x08d6166a504fda0L,0x0bcdfc7faf8bf32L,
        0x1416e0ee0542340L,0x1fd6d55833c5759L,0x02111c47cef9eecL,
        0x05fecf203f45905L,0x10bc950db304d66L,0x03a6ae96a1e008bL } },
    /* 19 */
    { { 0x1002dc02b5bfe11L,0x1a086a96990f3d1L,0x1d9659e6ea241ccL,
        0x08d0b646dc2b241L,0x146f60400e248c1L,0x038bf8467d5aca1L,
        0x115da7d5ebedd03L,0x08e1b756518cc08L,0x10fa099689cdc32L,
        0x0f0157161187682L,0x185553916fbdd10L,0x13059c9af6de1b2L,
        0x075e62d22e9688aL,0x1e965d147d6f7d6L,0x1f1d27ebc544a9aL,
        0x0b4d6f10d1cc57cL,0x02988048d81ae9fL,0x0358d2a2162c2bdL },
      { 0x15ab9ad43242066L,0x178da966651574fL,0x1b1e623b71382bfL,
        0x02068361ab63687L,0x150aab370d0c00fL,0x13254ca6b45c7bdL,
        0x1a13a6a3939bfceL,0x0b8330671f6fe34L,0x18bc0e748351a0fL,
        0x0567966ed62228aL,0x14e6657a7fddacbL,0x167e2c7260ab829L,
        0x05888d837654a01L,0x19193bd8b561f75L,0x076eefee1366a69L,
        0x0e2f132264d23c2L,0x0c8597717aeabb6L,0x026109a9345d8a5L } },
    /* 20 */
    { { 0x06fe0a695532833L,0x111476b13683397L,0x0f659279cef6af2L,
        0x15e0789818455deL,0x15169b452083a87L,0x083544f4aa73ae9L,
        0x13e415dd427b9d1L,0x12293964edc55d5L,0x108275d77fa409fL,
        0x0f5b79ef85deb5cL,0x080b2f904c9c118L,0x184363893163290L,
        0x08361fee5935f3fL,0x087028f9bb6345dL,0x039c10a8632ef65L,
        0x03d16470950f263L,0x134292abead80ddL,0x032b89e14ae1be1L },
      { 0x0cca8e9ceb77b9aL,0x1f39391db4a34eeL,0x1b9a8075aca0be5L,
        0x1ab57d9bfd8ed57L,0x09290d703925203L,0x18a21c44a240411L,
        0x11f0fe64c5092c0L,0x04e08413be2f9a8L,0x17c6f2059c855c8L,
        0x0bebc312b607034L,0x16dbf904b653136L,0x0b23329883bab53L,
        0x01c89e21a319a64L,0x03501f87091a455L,0x05bfab35a412d43L,
        0x0d276ab82a2ad4cL,0x0384e36d1b57cc7L,0x035874cb61dd71eL } },
    /* 21 */
    { { 0x0789fabcceced00L,0x1f38d72dbd53319L,0x09a4b77af37cc8dL,
        0x016c3b5b1f0f65cL,0x135f803cb724512L,0x128786f08f2f246L,
        0x0ae4bed37d75e63L,0x07ac1dcd16979a5L,0x198ab2f5c1ce336L,
        0x0dd1ced3e6a1323L,0x15cbae0fd3ecfc5L,0x1d11cade11b634cL,
        0x1e172562c20f77dL,0x052c787a0ba1bb0L,0x1475b8af8d27fe2L,
        0x1e769c09b4e3709L,0x1f8368f03429e9fL,0x020115102b3c111L },
      { 0x07bbd0583847375L,0x0b5b11fa28d7829L,0x09352cb1fc60eb9L,
        0x168a4b731ac331eL,0x0e0884b5ee323f5L,0x0963bb54ec69cd0L,
        0x1055340175fdbecL,0x179ae38907ce117L,0x18ca6fd28742541L,
        0x179ee66fc1cbeedL,0x14c494fb33c90c2L,0x0210b1b0371b701L,
        0x0171391f68c743aL,0x19ddb2bf9fa4759L,0x191f8c524ebfe20L,
        0x0f3ec3a2bdacc0fL,0x15610159b11e082L,0x01890bce5925354L } },
    /* 22 */
    { { 0x14cc3ca07615ac2L,0x12f32090d6ac0d4L,0x05be9e61ade6161L,
        0x173abc1e3b5c8ecL,0x1d9457ea395a40eL,0x1432ecd48a19321L,
        0x0ba32379b5a8fe8L,0x1960ee3b72c2029L,0x077a7cce6976a87L,
        0x1ef21708a1d07b0L,0x0f3027664f64d29L,0x0d2731d8987bc40L,
        0x183a25df4b92018L,0x115816b5ebbaa36L,0x169c6242b67ad1dL,
        0x04377f555e411a0L,0x1ea5238181f4312L,0x020beb63c399a88L },
      { 0x0bd81b70e91e9a8L,0x0020c61b86b599eL,0x042a3aa88dcdccdL,
        0x08d8facead04bb6L,0x14c33ded8f2b09eL,0x0af1fdf144774dcL,
        0x1a22336109aec5aL,0x0c54c2ed90db9d3L,0x13f4c89226165e3L,
        0x0a7208fb031fd84L,0x1eb08323e781314L,0x0d39bfa55ac2d20L,
        0x048452199acef74L,0x09561a315d185d7L,0x0b520b4c1a04a4cL,
        0x0132a0237d0e792L,0x00aff4cbf89e833L,0x0010c4ea968a385L } },
    /* 23 */
    { { 0x1e419dd92599c69L,0x0110dbff6196539L,0x0f4826efeff56e5L,
        0x08c7db12b7657f3L,0x1f486f7961ea97aL,0x0a0d1cb3048a359L,
        0x104d6f471e817f4L,0x0f78f3d919f07acL,0x17f8fd42f988350L,
        0x1e5a9db8bd9e813L,0x1637359f296886bL,0x01599a292f0d0ccL,
        0x0e34b95067a6a6cL,0x0fa24ac60b79eb8L,0x0a00848dc48238fL,
        0x058e3a5bac9cdd8L,0x0fa33b2c4ab3078L,0x03ddfc55ea908bbL },
      { 0x09e4aafa78b981aL,0x1a71b182764145fL,0x1ce4e5677a8de22L,
        0x064816738e188b9L,0x08383b7d70a9bddL,0x1d081324ce6bee9L,
        0x1c6ccc1a42cb8c1L,0x09044c5ab31dd25L,0x0c62d77deb4725aL,
        0x0b792de3de1d507L,0x162d97457bdfea8L,0x043a172dad1ec5bL,
        0x03a00f1906d9792L,0x15ba63a05c9442eL,0x15d888be91dae6fL,
        0x0a09e42fbb76b8eL,0x16bc2782c305788L,0x0430684b67c0938L } },
    /* 24 */
    { { 0x0bc337d4d79bbf9L,0x1f55c34fba7c07fL,0x0254cc41354d754L,
        0x1432df172ffe6d4L,0x15ce69092ab820dL,0x141baa4b0e9e8fbL,
        0x12e6ec65fb01011L,0x1474d19c37f274dL,0x1503456ffc5f021L,
        0x08516d8c4a07fedL,0x143e3fbc010826dL,0x02ee092cb0eaef8L,
        0x198bb8770ad635dL,0x103c729f392bb36L,0x1f20de23866c0a2L,
        0x073406c9a9995f3L,0x1201a3df411f0ddL,0x03f40722101d6fcL },
      { 0x15f8a57539a1ddfL,0x073d7772432b125L,0x047605808787492L,
        0x17fa6da58838f69L,0x0aec00d92e7b871L,0x09f8d9ed1c5a820L,
        0x1e35bca09d84986L,0x066d387fd0df63eL,0x156c8b786e827acL,
        0x143fb639a43e47bL,0x1c885c677b96f05L,0x0e7ffe732831571L,
        0x14a9027c8004e84L,0x150e971479c2600L,0x197bbc6659efa6aL,
        0x106f90d2d0da7c0L,0x063737c6b08c7bdL,0x02ee55ae8cf45ecL } },
    /* 25 */
    { { 0x184283a9a7d772bL,0x0f292f2a04acd83L,0x002219052ad5ad2L,
        0x053ae96552a8d76L,0x003b0b1bd444816L,0x09fc35933c48569L,
        0x00f1c79ea0af323L,0x19e26a57f6bb0b5L,0x1f29f16e3fad07cL,
        0x01531dc20f0621fL,0x1c8b15acde7fbf0L,0x0ca762489e4d209L,
        0x1f3a28bdea19d8aL,0x1b6a2ae7331adb6L,0x1fcdcd462da2147L,
        0x17b56e958503139L,0x098ad40f9df8b2cL,0x0046616cf56e4eaL },
      { 0x06a6866c170c84bL,0x04f45ad24d24217L,0x03834132264aee6L,
        0x10c3674846f61c0L,0x10d0189955ad347L,0x0806599e4a92285L,
        0x1db438e4885578cL,0x0a6324cb6dde064L,0x00fe8595a76d42bL,
        0x14b6f707e31a9dbL,0x18372091be24f82L,0x057de14e9974ec3L,
        0x043fdfad9b4ec90L,0x07edb4bab080434L,0x1dd642975a98391L,
        0x0146e7ea75590fdL,0x1b0d29e6be01287L,0x04c8fd6e0aad52aL } },
    /* 26 */
    { { 0x0bc4b0fb4844ffeL,0x1138a307c5c38c1L,0x0389338fc7cdce4L,
        0x082c6a33d915800L,0x08288b5ff0d548bL,0x0e4d383d57c215cL,
        0x1f59e7a2c3130afL,0x18740daa2a4974bL,0x0d0b1afa0f93cdeL,
        0x004aadd6fc4fc78L,0x0fa4b7ba8cb248aL,0x1f327fc0b7c90d9L,
        0x15fa6919aa0cae3L,0x17078dc5f930384L,0x1b3e6203d51d079L,
        0x123ae55da3ee861L,0x1e99296f76b7349L,0x03367c69412cf87L },
      { 0x101905b226f5868L,0x174460b484f4f4dL,0x045928dfad53040L,
        0x119302c64657a11L,0x06bac53cf72253eL,0x15557b9bfc274ecL,
        0x011b8b8d49152bfL,0x05ccf90deee5940L,0x086bce50e666337L,
        0x151d4b05b4a8502L,0x06535ff06aea4fdL,0x02578264dcdcc3fL,
        0x042e56b0051957cL,0x02c93a064db2c7fL,0x1fc9a96734a5ff2L,
        0x05d76eca99d362eL,0x048aaa699dba79dL,0x02fe5062d0765b2L } },
    /* 27 */
    { { 0x06e25f3569a6663L,0x0bf73f3552653f1L,0x169a3462e030256L,
        0x0a4524ce604b499L,0x07387209450602bL,0x199d29cd7afb280L,
        0x0a547fbbb6cd099L,0x1341eb9ced10caeL,0x1872a360b8398aeL,
        0x01a3d4015987b61L,0x04ec8c685885618L,0x1f25dcd8dbd9a42L,
        0x085cbcf9e66fd9cL,0x15d1ff4242f852dL,0x1b35c9f5e969b90L,
        0x0342155fcce40a3L,0x0b4e09c6bb2a208L,0x032bd65f85cb9d8L },
      { 0x130466fc274c8d4L,0x128bb1854ca6898L,0x0329c1e50d7d09dL,
        0x0dd712f40c42e4bL,0x161ee1304485040L,0x0bbc5df9c6ff772L,
        0x0e7a447d3eb3ea8L,0x064ecb8cc2f7357L,0x1b135499bd8f109L,
        0x075b19bd39dc8acL,0x0733c5bdfa2dab0L,0x007430fbdea7e58L,
        0x09830b9c625b32cL,0x1788729c44d68eaL,0x17d56f05cd7ab8cL,
        0x1b61b6397b3853aL,0x1bb42428c47e539L,0x01e96d209642959L } },
    /* 28 */
    { { 0x1702b6e871f2865L,0x1b1cf8a14906b4bL,0x0a8116d618455b2L,
        0x03e7627024650a4L,0x112206e8f3943adL,0x06acf5736110053L,
        0x1dd670a24396a8dL,0x0cf56a5fa81ed6fL,0x0f522c8de180bf5L,
        0x00f4bd9566771cbL,0x1d606713a972ec6L,0x0bd156a3a7dfc06L,
        0x0abcb50fd80d998L,0x0bf0e406f1364b6L,0x058d5f7ee75ac4eL,
        0x18ff6b0563029efL,0x06189a7822107f4L,0x001577796e01abfL },
      { 0x1a7926f2c7ec9beL,0x1983f392c590095L,0x08431be9ad28a4bL,
        0x13c5798b56e9cc5L,0x1bb8c07380c0854L,0x0f8ca6da0b06dc3L,
        0x12a7357bc14a4caL,0x1a21d71b428dbb4L,0x00b5d43d215ea23L,
        0x075f7817e1a5fd7L,0x0d9342121d5e9dbL,0x06d05a69994759aL,
        0x021d2d95e2c1401L,0x1c37551404e533aL,0x0597fb30ff475b9L,
        0x124073d6226db45L,0x0b048871baac077L,0x035a23600a58ad7L } },
    /* 29 */
    { { 0x019eb2e25e8fe80L,0x1bc834c11c50be4L,0x065a07906124ad7L,
        0x0d31d4da8bade3dL,0x1fd02e4058ad8adL,0x0920b6add72d6a5L,
        0x1f28405b70c9ea0L,0x1231663530b4668L,0x10b4da61082a653L,
        0x05c8d96da461afdL,0x1a05f34aabe3107L,0x09079bfb9b813d2L,
        0x0112b692541a630L,0x1c51504bb82ac9bL,0x1314a057f735c4bL,
        0x0c12ab356c4746bL,0x12f30c8ebe0932bL,0x04309a125d84702L },
      { 0x0902063b2231d8aL,0x11194ecd30b3394L,0x1f9c1c6a7c9ec3dL,
        0x00c07e08fd55f41L,0x1d92a1c36bcd896L,0x0a41db08c6653b7L,
        0x14988d05398adc7L,0x0b5424799bb74e0L,0x11a576437fd9b5cL,
        0x0980de1264687d1L,0x02b51040909f369L,0x0bc1a754d8052deL,
        0x00072a39960e6fbL,0x02069fd6e6c6244L,0x047550536bf284aL,
        0x0e69a53e9947bbdL,0x17c0037c5988441L,0x043199d4cce67f2L } },
    /* 30 */
    { { 0x013a751ecf53b40L,0x1637917bc52a169L,0x038bc4eb95b73fcL,
        0x1e1cc2e91c1eb3eL,0x172c414591f8ccbL,0x0e6e5b8556f65ceL,
        0x1f1c1acbb614932L,0x0051c016e583d5fL,0x089b24285aa7281L,
        0x13f53f05b3ce57dL,0x0e30993c29bdbeaL,0x02e61d00872eba5L,
        0x05c85730497ed7bL,0x04c3749f2d49f5aL,0x08302bf24afd750L,
        0x1875ea4d6b538d4L,0x0c90adf47c9b99dL,0x009592ff15d1016L },
      { 0x1b8d78a33eea395L,0x09b0c7b19fe2e04L,0x18a49c3b3bbf1eaL,
        0x118c51da18fd042L,0x01d68939524779bL,0x176e4848edae50dL,
        0x1cefe189b863961L,0x039fc047d17fd67L,0x06279fde1025017L,
        0x09763ee2af0b96fL,0x1a1a571b5329179L,0x10f17b7821e288bL,
        0x086fc3835e42de3L,0x1f085b291588a6fL,0x039e3fa7eae9159L,
        0x015948223b05472L,0x174576b61c2aedfL,0x010b13cd4ba5665L } },
    /* 31 */
    { { 0x14cdabf4047f747L,0x1119ee098ad0f60L,0x0f4d0397429c0f2L,
        0x13768270d2b3cf9L,0x0f01fbd81fd0c4eL,0x15c11e8c4e84588L,
        0x002854112710a9dL,0x1c9038449427316L,0x108084e4f8e8179L,
        0x0c57cca34c720f4L,0x038df15842fcbbfL,0x087f4fa4f21e3c6L,
        0x0cb31953884e6a0L,0x01bccefececb730L,0x1fe40bf9d7e61b4L,
        0x082dc76951e23f1L,0x15efa9453787588L,0x010341f1fcc13a9L },
      { 0x1582e26d0378878L,0x0a611d3ca2bc3e5L,0x02fe3d9a22ce788L,
        0x0a80a2a4e027a00L,0x00111f5d7548d4fL,0x1ffc813889e0aeaL,
        0x11730efd6949aa2L,0x00b7b4d60213692L,0x183dcc74ebc2f3aL,
        0x177b14221f7efd0L,0x183ba559716fd0aL,0x021ab25e4875a5cL,
        0x121bc3bf514f0faL,0x102bb53a3572c59L,0x1cc206a04ec21a1L,
        0x1dcb2178047f09aL,0x1959fd03aa032dcL,0x02f20b5fa93eb63L } },
    /* 32 */
    { { 0x0313760026cc23cL,0x0d5775ad9482c12L,0x0be3174bb85fe06L,
        0x17dcb988055244eL,0x17def07d8048e7cL,0x17c10f6de3eb773L,
        0x0ee25875a4913daL,0x148bef2cddb32d9L,0x0f81b17ea96a155L,
        0x16cf7b801f9f6abL,0x19641ba20a96cacL,0x00e55d28e300bcdL,
        0x11658c76f486fa1L,0x0581ad501a6cfe2L,0x0f992067d80f703L,
        0x153df6f673fd6ebL,0x1e3ca87554acf04L,0x027fb417643da7eL },
      { 0x125627fd0a10ad5L,0x02e394b4737a298L,0x15ae01a8458dff5L,
        0x1bbca067c653037L,0x1f4f8988b92de1cL,0x13f0ee1da25a2f5L,
        0x161e3286e625b6bL,0x08ea42cdcb40ef1L,0x182d472bea51168L,
        0x1ee9c157944aa22L,0x14580975bb1327eL,0x16396caa560445dL,
        0x13a1e6210f3614eL,0x010d3a53b1e2efbL,0x172f537a4580a14L,
        0x1c533489948018cL,0x07c48cb187e0f15L,0x028f5c0c71a0128L } },
    /* 33 */
    { { 0x1c1d178b92100abL,0x11eb04b02dc1c8fL,0x0956dc7967437cbL,
        0x0a29f97c08254f8L,0x19fd06af3f8b667L,0x01068387451c9aaL,
        0x1ef9558c9940848L,0x0a8cd2df9a2a51cL,0x16588514b0c7b76L,
        0x06c07c62c8952daL,0x1fbc13cc932dfc3L,0x1d9f8db47aeb175L,
        0x1831d1df2f6b53eL,0x19c095b6f6f7a46L,0x18980c7ccdae595L,
        0x1e137905d5c95dcL,0x07f300abd32d244L,0x045857caa98ecb2L },
      { 0x170180a2e603544L,0x19d61910d66cf5bL,0x19958901c0c8ad5L,
        0x1b7135787a742feL,0x1793225aad3e74aL,0x012b25c51e971d6L,
        0x14ad515eee813bcL,0x1d110eaca5ff85bL,0x0d2905d15e67143L,
        0x0c425a1017246b8L,0x0648671d8da95dbL,0x08426bc6f1be0dfL,
        0x1d10c64a02a8dc3L,0x060abd334ae0eb9L,0x0928d5335a93b3bL,
        0x0653b75b983911cL,0x0d08024f1b29839L,0x029b1f2a4a6d245L } },
    /* 34 */
    { { 0x15523b7e23fc641L,0x07397c33338318fL,0x17d6380274bff95L,
        0x1f18afebc252942L,0x116d64dcf203997L,0x1517fdd114b9265L,
        0x03b59a5ef93f52eL,0x06c7ea0fc8c14ddL,0x00afe3a5d785085L,
        0x177b66ecaa04104L,0x1f6227cb108df3bL,0x1074b870a4a6e03L,
        0x0d72a212f1496d8L,0x0ffbc7e6f12e33fL,0x1bd05192d059e0cL,
        0x00d2fd32ce00982L,0x0c3fa45c3a1c45bL,0x03199a00c1fde98L },
      { 0x1c9a0cca2fbbbceL,0x1b72e55065ba21cL,0x0438d0e3b38e1dbL,
        0x1c27005b0539cc0L,0x1cd45a1b0aad148L,0x07e0f04e1f2e304L,
        0x137421d72e165efL,0x057633fef21b0b0L,0x12598b81ed81c2aL,
        0x0c5ef97815f03f1L,0x1f23bae5d973a44L,0x1b11649f2b5c0e9L,
        0x1c0c98f09d125e9L,0x105ba5939dd8966L,0x001df3929abb81eL,
        0x004de8e47a5f381L,0x173959447d6bea8L,0x049d383ae0b1405L } },
    /* 35 */
    { { 0x0bbefe2715b27f9L,0x0d2f11514049193L,0x0ebff56289aaa4dL,
        0x0cf8270d28bbbe4L,0x092a215354c83e1L,0x0684faa23ccde4cL,
        0x1a9a139b91c426eL,0x16d8c75ec2dab11L,0x05e896706883ab1L,
        0x009c9d01e90499bL,0x1ca4864b08f768fL,0x16f5b9edd487a05L,
        0x08791559e1ab70cL,0x16b87f858921a75L,0x0cae914101a036dL,
        0x1971e3421fca450L,0x1fdd69f9c08e5f0L,0x00d3a11562258a0L },
      { 0x1a9dd2e9f40b675L,0x03301fe638f9ce1L,0x098465238d08a9fL,
        0x11da15690831273L,0x0e31ca6b8f3b615L,0x146db1d1d53ecbfL,
        0x18b92f07a197bdeL,0x01e62bf181258f8L,0x1a260788f9f5c6dL,
        0x0c19894a5b79f62L,0x16f358dad36126cL,0x112178d33536e75L,
        0x182a1175e766e14L,0x1e29e527df9bc86L,0x1fd8245fd0d816bL,
        0x1056caefed88f0fL,0x19c827c7552600cL,0x004a26b184e92acL } },
    /* 36 */
    { { 0x1deb63ee6ab9620L,0x07d36bc366c0467L,0x1609158c82cf7fdL,
        0x058928722a28bdbL,0x173b3f872ae5f86L,0x17cbd4ca847409dL,
        0x06d88ef6017cf94L,0x1f9ee36b8519305L,0x0b394c70e86e0ceL,
        0x1a7d8d491ded9b7L,0x1d618b6f89f9694L,0x1be70756c2d3ac9L,
        0x1127c828cbbae23L,0x1d183d456eb6f8dL,0x0777d986406267cL,
        0x076ee6d990cb302L,0x176a3cb77747994L,0x03ec4f9c1b7ec32L },
      { 0x0564242c9f92b2bL,0x0353ae237195efcL,0x02ddfe669715c03L,
        0x1006292ad127cedL,0x02ce6709b6efe85L,0x176249ddff450ceL,
        0x10a35c868ec6fb9L,0x03a4ddddd5386e3L,0x1d798115e15177eL,
        0x1df9de7583452d2L,0x1688811b4ad2cb5L,0x12b6b37d3bf9bf1L,
        0x1c77640b793df09L,0x0d15e9e2e4b44bdL,0x0bf9d133833d309L,
        0x013762de8badd13L,0x0e6b53f3acb3a85L,0x0224d7c0fb1f953L } },
    /* 37 */
    { { 0x0fcf132a16d9377L,0x1bbd9bf0d17cf61L,0x04ba1b466b966acL,
        0x0da0277762e5c34L,0x0b5f66bad2b12e6L,0x0f55a804b9702aeL,
        0x17b0b44778700e6L,0x12783e629fb8cbeL,0x0fc3118418a9ff5L,
        0x1b9e0f670292373L,0x144d8c589415b77L,0x17aedf64bc33851L,
        0x04845cd2d730a9dL,0x09b74296824f692L,0x0322a0f1de6e0ffL,
        0x100670b46bf8fedL,0x0f5299bf1e1c95eL,0x007430be190448dL },
      { 0x172060267c81b5cL,0x04ee6f39bc39e29L,0x02c2a0513f40beaL,
        0x0e4c41190654e86L,0x18ea40f53006c5aL,0x1209d2270333306L,
        0x0527e774097e625L,0x1857be701988d72L,0x1801566190a125cL,
        0x06b51dba93c9e1bL,0x004dd1ade98bc81L,0x04d0b0bab2f16c0L,
        0x188395fe66a9cfeL,0x035930fb6e56865L,0x0764862ead1a3f1L,
        0x04805941debdf3bL,0x087c507d4a85e45L,0x037a2027899367bL } },
    /* 38 */
    { { 0x1e1920b4febd3ffL,0x11a6c7efe95dd51L,0x1cab866a60a7298L,
        0x018deb78416fa35L,0x1aa39ca923de161L,0x063855f1026df9eL,
        0x0dc2ca8b7a6e1b6L,0x01c4e5c186ef93aL,0x080914c06e56551L,
        0x108f3d42be5db58L,0x1f1bbf6099a9badL,0x09dc612b00380edL,
        0x02b9e24063dfac3L,0x1c3d52e2b4ffa05L,0x11c334a9ee8c6a5L,
        0x1e0e81c9a3fbe67L,0x1e2903e31326895L,0x0482bb8fc3fdb38L },
      { 0x199ba0da4062beeL,0x191c64a6becfca8L,0x06f078248b00639L,
        0x03625b0abfea7e5L,0x0d68ca29de9b2a8L,0x0604bfb24f9f76bL,
        0x0628192b7f0d314L,0x049032c95733b67L,0x000d59c477a5872L,
        0x0ff51cb3a62c81dL,0x1f63b85410f7402L,0x14dcbe3d9840d55L,
        0x030db9b7b4c5721L,0x13646a955b6b524L,0x120a89c1bff185dL,
        0x1ef507bc483ad59L,0x0cc0605f05227f2L,0x035114a9db2026fL } },
    /* 39 */
    { { 0x0452d8f74fce389L,0x11a60157d2ab249L,0x12efc3b5e094165L,
        0x166ee31c1b26ef9L,0x1fa69a4d89f4045L,0x0ad85d0883a73ecL,
        0x1b79975c2ec1dcaL,0x0f7645aa95be20fL,0x15c39a3d8a1a29cL,
        0x191b6016bcaf1d5L,0x00b400ad626544dL,0x0b7caf217dc5ee5L,
        0x11a8e65ea25e226L,0x1000e75ec8f0750L,0x071500839c69c21L,
        0x0d3022d201eb458L,0x027c3b2d5c0357fL,0x029464f5030cf1aL },
      { 0x0dc86b45f26c577L,0x1a3844a1c5ea28fL,0x004de4960a9fe01L,
        0x01bc3cad3e5bfc2L,0x1a55a356e08eacaL,0x0bb10b2fca977d4L,
        0x1c7ca93602d4f92L,0x1e1a56cb0ab9abaL,0x0246704bf66cea3L,
        0x09fb20fa49191e5L,0x0615726b6c4c946L,0x059c5a33aca54d0L,
        0x105b82ed7b86d52L,0x070a8694a9b04f8L,0x04fa244ec3c0252L,
        0x16892475b17f616L,0x157cbb1556cf794L,0x01007c849b9c5e7L } },
    /* 40 */
    { { 0x1b22fc58388387fL,0x178b8147441e2fcL,0x0e4346de5cf33c9L,
        0x05edd922e288f95L,0x030cdbc08d5d4eaL,0x111e15970b7a4c6L,
        0x11517724a443121L,0x161d629236061b7L,0x0631deb2e14de21L,
        0x051083317f4187aL,0x1a5e70de707cfc1L,0x16d1f60d4f2b498L,
        0x1a1619dfa98a732L,0x06df164d9d22193L,0x0627faa468c1f4eL,
        0x0663f273791a407L,0x1dc3daabaf20f4aL,0x02e183f4c6e87aaL },
      { 0x1c4e0c435b233daL,0x14842917b7cc2ddL,0x1486a2c091a38f4L,
        0x1352d22dcf33ba5L,0x014bcced978f40eL,0x083b160193ec363L,
        0x1cbb657a5540acaL,0x0661ffa432f50f3L,0x0c436513750e0bdL,
        0x1618a450413e262L,0x004aa0ff3f02c89L,0x02fc63250b138f3L,
        0x1e8830f42dc3d8dL,0x0583fc1fc5ab967L,0x144523df367fe49L,
        0x1f358663952a014L,0x185d0c539684c59L,0x00ef8b6fd60a1a3L } },
    /* 41 */
    { { 0x07bb4ac68bcacc3L,0x169a7a187ac67e6L,0x1d3f518615681b7L,
        0x088b93e1798b3f3L,0x0375c892f549199L,0x02cc1d6e2fbf632L,
        0x1421c6e1c23c4f2L,0x01f6654b98905f9L,0x1efdcdc352d6b4cL,
        0x1d9278245637d96L,0x0b53d4ce4191c52L,0x0a5f70747588b30L,
        0x082337a223162ebL,0x05e1ede9b8986f9L,0x19eb03b739ee00bL,
        0x0e2fd1672b2b248L,0x01721d3d2e81b56L,0x0394d3fa8232893L },
      { 0x14ed1aa8420f90aL,0x070cf07f2642ac3L,0x0aaac2f9d2bd8daL,
        0x01194c19536c5a9L,0x1645a86776fcc48L,0x18d92679885ad2bL,
        0x16d104c6eb26f76L,0x09ddeefae3a5bd4L,0x04706d21072fcc6L,
        0x0dc9348b39ebbf8L,0x002fcfa278198caL,0x19a6e80efa8045cL,
        0x0d829232e2472d0L,0x1c6e42999f10820L,0x0e3d99cbe45b7ecL,
        0x1c33a91776b3629L,0x15c19de9f4ad44bL,0x03fb69b249196ceL } },
    /* 42 */
    { { 0x1d064de6e794819L,0x1b4a77c175ed09dL,0x1f82e478a01169aL,
        0x060f4879a43e02fL,0x030433e9190d31fL,0x1fee5a361379133L,
        0x04702e9222a9c2aL,0x100831b210b48c8L,0x11b934fe6bffb58L,
        0x0e8f11bf1007c24L,0x1358fe95504f6ddL,0x1aebc4767eefbe0L,
        0x0b0f91bd30e216eL,0x1b94e284d02c336L,0x0aacb5e130e5765L,
        0x1ad0dd92fc3108aL,0x06c8cb7c1f90093L,0x0168191cab14784L },
      { 0x01c94074a44b4c5L,0x0343ce638164c54L,0x0a1f3ac3725ee61L,
        0x0cdc75464396a04L,0x04c256c23030112L,0x0da422e05643b1fL,
        0x1cd6d940d348395L,0x1b9552d4081e481L,0x0046d26d37cf7eeL,
        0x152d4709dc0832bL,0x112e5e0f5c30ad8L,0x1f10b3c9b51f0c0L,
        0x1a5457f5d12fbafL,0x1a98dbabc94ec80L,0x13a5ce74a787acaL,
        0x137b2429b57b93cL,0x19b5bd724fc4eaaL,0x039a609598f7cddL } },
    /* 43 */
    { { 0x0fe3c2e92f9b086L,0x0dc9f59fea2a24cL,0x022d700b1971190L,
        0x0389e064848f9c4L,0x079d29f68a52dcaL,0x037afa5af60becbL,
        0x0a044474bfb4250L,0x07e4c1ec7b81b37L,0x0de2b056f15472aL,
        0x18b86cf80394873L,0x08fa36dad723e46L,0x10739e6987dd45cL,
        0x011b973ee2345a2L,0x1d9268e2cdee2a3L,0x185068596f69b0aL,
        0x164032faa574678L,0x09f47bb16129d2eL,0x03e2ac54390fdf2L },
      { 0x1485a523f350fecL,0x13c62b51c6a605cL,0x1a88356a9934059L,
        0x05b2db45c91de68L,0x0f647b3cb85daa0L,0x0f4a36422f62752L,
        0x1d2af03469b2835L,0x00683b1a3829f53L,0x143972cc59c8b13L,
        0x1f0fa46a1a7fdfdL,0x13a4ea06748c619L,0x0120dbbde47e6a1L,
        0x19200cf12c49f53L,0x1202197e1e17367L,0x125ad4909a47305L,
        0x12f7d7ffee968e4L,0x14844527c9f020aL,0x01a66bee53d9e21L } },
    /* 44 */
    { { 0x031761a59e7fe87L,0x1718d0023e6b978L,0x19a3eb8c3d8ac7aL,
        0x1b6e3b62864f205L,0x0e0038f4a666f48L,0x1eebb6baf7333c0L,
        0x13570ed16b19c0aL,0x0221a5f705141adL,0x027ce7f1d9d8c5bL,
        0x00ff0720905af4bL,0x06e612e499f0dc5L,0x0b13ac06259b2b4L,
        0x0eda5493565206eL,0x03863a560c339a1L,0x15ec2ccdd1482e4L,
        0x118284e07976b2aL,0x087f621f59ca6edL,0x03e758e6155fbdcL },
      { 0x047a5bbdb7fd65bL,0x02e601b64a2be03L,0x076e7849c62b635L,
        0x09d274ff638db53L,0x1d1566a1ed1dbbfL,0x00648ca28964ae5L,
        0x149a52186e8036fL,0x15c78d985313cfeL,0x1671961500941aaL,
        0x1e7ae87e4629c71L,0x1a64a68969547efL,0x130a2f941e4d5adL,
        0x0afa89ef7e90710L,0x18d5a2a4ba1dbc7L,0x1470db4e757a8c5L,
        0x0ad1ae885e7e7cdL,0x15c25a683e0059dL,0x00fb14d4c913e76L } },
    /* 45 */
    { { 0x125ddace45a1c3eL,0x149b2a0fbaa2fc4L,0x1f2cdf9fe0a1cb4L,
        0x067c98f3a48ac45L,0x1c2645d68823451L,0x04015caeffd7c24L,
        0x07e80c1e3d37665L,0x198acd24fe13a67L,0x19a500a1e9fd91dL,
        0x10040c0055855ebL,0x04d68e0653977f3L,0x060f315be111b2eL,
        0x189a45a2a79e876L,0x1c45a1cc9dd780dL,0x1ea65f5bfb58551L,
        0x11ddb301cae45ceL,0x1a2aac90ffa2a37L,0x0253afed145ec02L },
      { 0x09a8fbb55e74cbcL,0x19c677d58c792e8L,0x0b5a5d93b0e9cddL,
        0x17cfc15a621f847L,0x0481cc9bc5a7d35L,0x05761a73af03477L,
        0x18f13c30baa64f5L,0x059e2649fd01a94L,0x15dbb7c1699b059L,
        0x016b3a6d3f07a35L,0x159b1e8c03eba91L,0x104266675906b4bL,
        0x0e8c408496e83dcL,0x0cf7afe0b877c09L,0x0d3a18a5b8772daL,
        0x00fb0dc56ee362eL,0x19a04629cdc5835L,0x02c0cfcd711ec0bL } },
    /* 46 */
    { { 0x19691216aa78811L,0x1747a1081f3e1ecL,0x01c08ae79a63d93L,
        0x1c9eb059bdbbe02L,0x0ecfac1ae6001f9L,0x1c9804925304579L,
        0x0a445bbd31e1018L,0x140a4c5d5cdd7eeL,0x1ddbd0af58c4ee5L,
        0x1ad7fc8766c3de3L,0x16cd31bc93c4521L,0x0503d0cbe2e45fbL,
        0x06886c1b9a48104L,0x0f7a118fcab4921L,0x09fa0b9bd7cc822L,
        0x12b915eb0f59fa1L,0x150d65719179ac3L,0x03a2cb01e09b253L },
      { 0x02475bff41ae519L,0x00fd8a57c79288eL,0x134abbecb0f4d10L,
        0x16a39b5e10e1bbfL,0x0208bb199b2d385L,0x19f9fb4298e12b4L,
        0x05da45b2277d930L,0x1758479f53248aeL,0x12339b51e86d010L,
        0x06d87469131c189L,0x0785e403fb7adc2L,0x1b9746d0fde3eedL,
        0x03914764753fd96L,0x0622e46ee682359L,0x0d0f5e3cffc8190L,
        0x1dd21dfa2cf7b70L,0x145493ccb6d4b77L,0x019812a89d9e7bdL } },
    /* 47 */
    { { 0x0f0046935eaaca1L,0x025bac488c8811bL,0x19979b4a553030eL,
        0x1363d3adaf966eaL,0x029c2757cb9199bL,0x139c683ac291a4eL,
        0x0909e272f46eae3L,0x113371b7d20b247L,0x1a237793e18fe18L,
        0x0138babd3a17041L,0x05e7493baf584e9L,0x00a9a9e59eef189L,
        0x11958705de40325L,0x19ecccdd51dc504L,0x03fb8786c646f64L,
        0x1be2975fdf74876L,0x01cb3bad1843facL,0x0499456d821c3abL },
      { 0x1e84e80f906b872L,0x091d03c131332d5L,0x09f8ce6333ddc15L,
        0x1beab6a647b138dL,0x0554dea82fab551L,0x0ac4e6d02bc7650L,
        0x15d43bc9948f4ddL,0x1fdb1fac4850c95L,0x093f27fc5178fe1L,
        0x19f37984efc3a11L,0x0b9278dd434151eL,0x0d64bb80714250cL,
        0x0284db682b7d90cL,0x0c40c98560d0d71L,0x1cf82911fcf6adeL,
        0x04b8a61cd7aa575L,0x1e70680025bf62dL,0x00550f9e7d6e86aL } },
    /* 48 */
    { { 0x182219022a10453L,0x15c8e1501d085d4L,0x16565991bcef747L,
        0x09e716df8d5f76bL,0x18cfca1da58de34L,0x186d026723e1f2dL,
        0x0bb5bf36385b43dL,0x11d58886937b44cL,0x09320d87bc56e2fL,
        0x071f5040c89c72cL,0x18b7fe8ac8db027L,0x14b91cfdf61b4b0L,
        0x0b16ac78eb6b0f9L,0x184da8d7a5a9a19L,0x14658a1bfd0c415L,
        0x0075a11c46df11eL,0x05e1f93f176eed4L,0x02ac99bf04b1b2aL },
      { 0x0ddf738d8fd807aL,0x0764ed589891118L,0x136d896bef0fd38L,
        0x093e25f12a2945eL,0x0c3044fdd5b7060L,0x000a47da379e11dL,
        0x195506c8cb47fd5L,0x0eac368b1ea7369L,0x1f694b24a0dd70bL,
        0x1e3214c944ac0ecL,0x1526fbb97f88b43L,0x08fed4317ec780bL,
        0x027f1929d67af34L,0x00aa8f4674b50eeL,0x1753e89abf980a3L,
        0x059684fb595e656L,0x0d34a1631bc545cL,0x04980387cd8648aL } },
    /* 49 */
    { { 0x0f32c5e69a9bc05L,0x00ce32c4e25b9e9L,0x197a51997e70297L,
        0x0779f6987212b93L,0x1ddb7c318ab0f29L,0x19c0245c83843b8L,
        0x166f6253a59619aL,0x0d3e335219ec0d7L,0x1cc1d58dfb6fd2dL,
        0x036e627230ec534L,0x1709dfe73920c62L,0x132cecbf150588aL,
        0x0cc3badc8d749a5L,0x088966d597fe334L,0x10f1f2ce0060e5aL,
        0x04449530f2b8764L,0x0148775f310010aL,0x0021d10a0ac3dafL },
      { 0x1be9dbc3a873752L,0x049fa17a217f73dL,0x0b2306308607b85L,
        0x01c52ed3cf30394L,0x1e768c5f00ce309L,0x0bb3bf5a3135646L,
        0x05398cfa73918d3L,0x17ff138595bc1f5L,0x004f5cc1141f5b5L,
        0x0b2fb9b11146096L,0x1dc1a8301733949L,0x1fff7c90f89fe37L,
        0x09a499f1a45d07fL,0x0c6ca4001f621e0L,0x0fc4be13d39e6eeL,
        0x01adb1466b42c0eL,0x0e84bb5eaf70f97L,0x00c683a3df92685L } },
    /* 50 */
    { { 0x0d3c77c84601fafL,0x12df1578e0fb92cL,0x1e63445b601b251L,
        0x0dab61b279fec4cL,0x1ec6723a3996c0cL,0x1d29a497d0d6baaL,
        0x1362a59aa05100eL,0x0cbb89928445586L,0x1ddf471deed6758L,
        0x05652cbca9ea947L,0x118ed493afd9f76L,0x10e2fc4b69a765cL,
        0x1a43159daa25824L,0x019abaa011e2d6dL,0x0e2c6995163e71aL,
        0x1a4639ed0bb4ff2L,0x059981a4fdacefeL,0x0388849f6845dafL },
      { 0x0aa3fc6401f161aL,0x0c2b04ba62f4389L,0x0bec5ed77e0bdcdL,
        0x0f491cc5329544aL,0x09dd847db0b82b0L,0x14e2d30011a0ab9L,
        0x1d4e3c795340114L,0x1979838a73cdb31L,0x136162b5328d3abL,
        0x0d1bc9c15427866L,0x1ea06d37b9d211dL,0x0bf698477e37ee2L,
        0x1f787e8b3e16cf3L,0x0cdbcd583fe8e14L,0x1db182edf69f9a1L,
        0x0916a0e4201410bL,0x1d431840159e7edL,0x00bc4c5ed26ce4bL } },
    /* 51 */
    { { 0x18483d8ae1b8cf8L,0x0a5a174d1442b66L,0x013c81292f08c8fL,
        0x1194f4d3f4ec66bL,0x1757bab24e0b222L,0x02fce5457ded45fL,
        0x0570e16c90221b3L,0x0d68ff69027a835L,0x13f1bc53cc2aabeL,
        0x1166d1f8d68acceL,0x1b02070c7aa6c7cL,0x009602c29582365L,
        0x09c6afa7ab048f3L,0x00a06e1ee718e77L,0x1a2aee956bdd8cdL,
        0x07dfd096f566fb9L,0x0b250de7648c7cfL,0x039d446e78a9ab5L },
      { 0x186828806e83b39L,0x12209cfa201be9fL,0x0c3c5f6f21051deL,
        0x1ea9a2ea93f20b1L,0x12307ffe2db64f4L,0x093130d11e75357L,
        0x1fc98e4fbf5553cL,0x06a5e9ccb1421e6L,0x1a4437ce3f4ee1eL,
        0x077a153d49e6f45L,0x0f27d24e6aa4059L,0x1ad47af6b9a83bdL,
        0x11f88a3acc44223L,0x16304516bc4d350L,0x1d5b0195bee77e0L,
        0x14601cf3b71c777L,0x01e73c56af2668fL,0x02979958bd71cb5L } },
    /* 52 */
    { { 0x0f524c1e714f71aL,0x109314d6ec28cabL,0x0761972b6f8f06fL,
        0x10b41f6c935b231L,0x01d192d9d88bf5cL,0x1925b7cf7d35491L,
        0x046738ffa0e25bdL,0x181d87f5c4964a0L,0x14b6af9f62ae0d3L,
        0x1e75d05eb0cb126L,0x0c24acbf6db8ea3L,0x06ec64c79a52fb8L,
        0x1ef95c43bdc91daL,0x06f5a26c98603b0L,0x1034c76244d9003L,
        0x1133ffafb9d0887L,0x0c178fec3b19871L,0x03cf0a69477efacL },
      { 0x18222359bb40c55L,0x1901687683d2171L,0x06a520e307d0289L,
        0x0fb0c94f1c91cd8L,0x0c6c55c92b5f24aL,0x096a843f3f8a050L,
        0x0784398b0412b38L,0x1ab361434fd8236L,0x0fd8a275fafbb3dL,
        0x1f9aa7f4d1db598L,0x0176791980a8077L,0x169b2776cbeeb42L,
        0x0b0f82fdeb3d371L,0x0f2342a2ed2e5f8L,0x0f545f918048a6fL,
        0x1e924a0bc21738eL,0x0e277cfa541672fL,0x006c761454cab36L } },
    /* 53 */
    { { 0x14cf73ecbeee995L,0x1c45e6a48f40600L,0x12b766ae9752cbaL,
        0x072609909ac2b4dL,0x0ab03c9a2f7d463L,0x1d5dca5d0280e94L,
        0x15dcb23dc8f7a46L,0x129910bf2eea080L,0x0b5e1d2b3c7fcb0L,
        0x0f73ccaefcb638dL,0x036aacd19126798L,0x1bbabec0f265719L,
        0x01b1243587db425L,0x0fe3a1a038128e5L,0x00ab2249b5f4efaL,
        0x14e9f182f262192L,0x0fc72522c154559L,0x043000f13e1b9a5L },
      { 0x1b00ba5e7693947L,0x0320f0096031589L,0x0383a15242a191eL,
        0x1fb2ae9abdc3487L,0x1bd3ba615173dbbL,0x1f503aca9975c64L,
        0x04ae47d06f2e17cL,0x1695839848f1977L,0x00f34648e1ef901L,
        0x0c94e8f6959d977L,0x1c7aaf0f5d6ff37L,0x0dee2739e9a48e1L,
        0x0df04249535cdbcL,0x03fe59c1e6c322aL,0x17e4c30781e6049L,
        0x1780173e413682fL,0x0c14225fc31114eL,0x00102c8e59a3ca3L } },
    /* 54 */
    { { 0x1003721275e0af4L,0x0a0f7f3c52525f1L,0x13db45d5d215c84L,
        0x0e2d1ccb3cccd9fL,0x0e2842ee5fa1d73L,0x05eafb131f1f2a0L,
        0x0412ab7b30f5252L,0x030033bc07a48d6L,0x1f8a9e903f343d8L,
        0x1abdd252d860698L,0x1b14194789d97f2L,0x0a3eca337ecf048L,
        0x00f2119a0180c57L,0x1c10ea7a2f82e10L,0x070e819f9921ee1L,
        0x0c0a44c5f29544cL,0x1ef56cfe4897214L,0x0288ccc2fd0ef82L },
      { 0x019497db18586c0L,0x00aeb637755312cL,0x1ada5f368a2c011L,
        0x10f8328b28f8d48L,0x0ed3a5069a149b2L,0x04a65a5ab1b4fd2L,
        0x1bb89c24aa9990fL,0x012ab79ce7553d3L,0x034bb2870778935L,
        0x17cafd80375a993L,0x140c8e58e3d2162L,0x04d0b74eb7f10f9L,
        0x1d9d42d58129376L,0x12e36b26f996b79L,0x137b506932b55d1L,
        0x140cf30bea1f765L,0x19acf34ce0e9006L,0x02cf57932ac52bfL } },
    /* 55 */
    { { 0x1407efb6ec3876fL,0x03091f87a43243dL,0x1bfefe24c0e5e03L,
        0x008b5235605576aL,0x18811b829592eaaL,0x0f9fe4e72dc26bbL,
        0x184ee1a9c68d07eL,0x10182ffbb0de1cfL,0x088ed8297655a08L,
        0x0eb6e3a40eaf333L,0x1277d8745c5e5ddL,0x191bc7ef3c3fdffL,
        0x1d2046192e36ad4L,0x13a7ed316d8a98bL,0x1766451e327e9e8L,
        0x12e3809d9249f05L,0x1fb059d1e383a64L,0x01da2287513105dL },
      { 0x1b7a955c776dcdbL,0x052be40e45d239eL,0x000d415d83ecd71L,
        0x03675d86a75c50aL,0x07117be5e3e8069L,0x1667b09c019adf2L,
        0x1e45b8711f8e815L,0x1c24a79fbd6672eL,0x03decdfbaf5cb7eL,
        0x1e4bca7be7a5b82L,0x05a0327fe0518bcL,0x1c237c7b553e480L,
        0x1769f91d8a4e440L,0x05af4e2ee2e821bL,0x0df4935041b1ea3L,
        0x169443232134267L,0x014e893c8383764L,0x0253ff1866214dbL } },
    /* 56 */
    { { 0x18f3a702455c7c5L,0x11b74380abbaa73L,0x1491d88c98b16ddL,
        0x1c378f018fe6588L,0x115ed8772c98b11L,0x0932fa6a4757564L,
        0x0803eec134f0066L,0x1d0d6a563379f4aL,0x1c46a098193ea3fL,
        0x016399edd3ac02cL,0x12ef58625aab336L,0x05f99d1d9aa3a64L,
        0x1d02fc44b3ac09aL,0x1550bc25a94c8c7L,0x0882173c311792aL,
        0x0fac26ac4c681fcL,0x12353cbb676c50cL,0x041fd0f51b28935L },
      { 0x0ac86da10ccc646L,0x031bfbd8228f4b0L,0x18c228221840b38L,
        0x12406933057779eL,0x1c0bcda023c1901L,0x0a7ebeb83fe1ce7L,
        0x0eeedfd347c546fL,0x0c1ad4c9ce888e2L,0x157bdc676c5ac9eL,
        0x0b629819bdb08b4L,0x144e5b73d028751L,0x184a932fa58fa68L,
        0x04c2c4a739f3edeL,0x1535697129a574dL,0x1a57e045004e5f9L,
        0x1f57e40ed3a9a47L,0x1e0cee007c6de98L,0x030a04bbcc98e28L } },
    /* 57 */
    { { 0x1db32db15156623L,0x1bfde55bd33e11eL,0x1d41bc678f09a04L,
        0x05132498c24c023L,0x06804c1c34218b0L,0x157353a4950587eL,
        0x0f987596f9c1abeL,0x0d27627a47c1a03L,0x144545b47f87f4cL,
        0x0111b71026e0d51L,0x149874f14587b35L,0x14c77b11780ec26L,
        0x161599d7201eb46L,0x14dd7879bc636c1L,0x01ca083da557f85L,
        0x068148cfdd7ac2eL,0x1882f1b8a2a3e3aL,0x031b6d63b1685afL },
      { 0x0280db9b4c80af3L,0x04e68a71c4955caL,0x0b83451df772686L,
        0x10d1f3e29e4dce0L,0x00baa0b2e91aee3L,0x18a51494327b1d4L,
        0x1f2dab3607dce2dL,0x1fa61c370e18bfcL,0x1883ea1c3b10837L,
        0x0d13ca9b590244fL,0x0ca9a1628b697cbL,0x17e40751f42875dL,
        0x15dc70b1c4e2330L,0x14cb3c7a5ae2445L,0x17d9d7029e31364L,
        0x1a6d04677a1304bL,0x13f37b5c0767b67L,0x017b6deff2685f7L } },
    /* 58 */
    { { 0x18472fd2e4da7c7L,0x07e48d733bc9917L,0x0228f709a389c23L,
        0x00f33448486c95eL,0x11d58bff0f10dfeL,0x04b17377c896ac3L,
        0x1a829afcd77f262L,0x1825172df52be8fL,0x0734a79eaaad308L,
        0x0b9819bcfa1bdddL,0x12f639b3d53dd65L,0x1b9fcec65dd8005L,
        0x0b5319310447606L,0x0567b94ea025af6L,0x177c7782b8225f0L,
        0x0e89112c5170c77L,0x14eeced154ef87dL,0x02e5b70cba2c6aeL },
      { 0x0cef197008c75edL,0x04e9f7b77557c4cL,0x180861d7a5b5f3dL,
        0x1dbb361b143adf3L,0x19576daafcec2cfL,0x13eddc1c530e7f5L,
        0x053d04000fce4daL,0x0a766f870d04770L,0x09fb66dcbb80e31L,
        0x13f175d02cc23d4L,0x118ff4d69c9dc27L,0x1b23f93c1da149dL,
        0x14d515baa4311f3L,0x10466a719e0ee04L,0x157baa9d681baf2L,
        0x0583f56c2e4705dL,0x0e52e82bbb0e1f5L,0x010a4eb1828baebL } },
    /* 59 */
    { { 0x01a8e6f5f9311f6L,0x11e4fdd5e0fc2f7L,0x14bad250826b25fL,
        0x1832ee9fc29f4f8L,0x0555844f04c2f51L,0x039d59ae77e8914L,
        0x067f2d4e18a8ed6L,0x134ed1dfbad97daL,0x0cdc12479ee5846L,
        0x091bf189ec0604eL,0x128a4301130a304L,0x02f57a8fc50fbaeL,
        0x08ad0ffeef9ee65L,0x00c6940fe121091L,0x1b0378509cc223eL,
        0x17ae7d78e897887L,0x06c5b26eccfb415L,0x00a7179a86583e1L },
      { 0x08d2a104216946bL,0x00f83bd25ec96aaL,0x028d0da54581ba0L,
        0x1ec7432f92b32daL,0x061f77c90f1b5c2L,0x1fbd913ced1e278L,
        0x048fc707358d24fL,0x078bcc36ca14468L,0x0826b34c5f28403L,
        0x0c5c8746179a10aL,0x0d5882ba01bb15cL,0x068bc64953694beL,
        0x1e8b53cb51a2faeL,0x1ccb2bbc4605dcaL,0x077bccb253dab0bL,
        0x11e4e0fd8c0fad7L,0x04f63bf1dbad0edL,0x02c29bf016e5b0fL } },
    /* 60 */
    { { 0x164b06464f80ba2L,0x02af382acd22d8fL,0x0cd3c7d2d8d3a38L,
        0x1fbd190905864c5L,0x030c780aef4f7d5L,0x10f349ceaaef506L,
        0x10d2c5d02bee73eL,0x1dc59fcd4cce8c1L,0x0f66959411187c1L,
        0x1c1793bafcba6caL,0x02b390011527ac4L,0x167f757bda04394L,
        0x064e3653eaf8244L,0x02ae2fc1e1b7a68L,0x1af3a43aae7c373L,
        0x0284bb27739df59L,0x10d16658e721906L,0x0242bc1afc16bcbL },
      { 0x0d525bcd2576210L,0x1c553ea8daa21eeL,0x1c5c6f60e6527cdL,
        0x07e7158c43fd2f7L,0x018408cc930d0f6L,0x07a9fb57c7960bcL,
        0x1d7909a4b21f898L,0x06e1dc8a80fb614L,0x10ec47ae5ffdb1bL,
        0x14894ee3d535225L,0x04cac8b902dd75dL,0x09a12bde76ef6dfL,
        0x1568bc63e8e0676L,0x0e000a60147ea3fL,0x065763b46041252L,
        0x10b5f21c5a7fbafL,0x128eb39a05d6c2aL,0x036013bded10f98L } },
    /* 61 */
    { { 0x01b7086b509e7efL,0x1763d9ebfcfc8f2L,0x1e51549ae22e210L,
        0x080a3ba1579a50bL,0x174f1ceb6e44e06L,0x1f330dc80cc6083L,
        0x11f65bb2afa6048L,0x1dc8902226c65ecL,0x11dd82b4526c52aL,
        0x128483fc9cee4eaL,0x1bbbcbf35156ff5L,0x09bb1a5cbaf97abL,
        0x1288bc9f2a7815aL,0x0bd1d9912d6a764L,0x0e72f6f1bc4342dL,
        0x09dd1d1a183ce41L,0x18f5a0b071a9b77L,0x01833de4d7917e7L },
      { 0x0e589f2b7ca9326L,0x0837ed89127b1f0L,0x1485d1e95ef45e8L,
        0x1ac561105d646a8L,0x0391ffcf2614982L,0x072206bf9d7aa22L,
        0x0c1c46aa8cdeea1L,0x0a851d46f612837L,0x1a957dcb42e4a7fL,
        0x1d5b3160d356afdL,0x178e07df0da8839L,0x1019375416d7a26L,
        0x0c94e4671f42e79L,0x05849171a11b818L,0x169627c93318ffeL,
        0x1fed9a21aa4f288L,0x195bb99d316a870L,0x01c8641e554cb60L } },
    /* 62 */
    { { 0x0d3fa82ffc4a73fL,0x0eb1a9dea9981a8L,0x1e28992eddf4999L,
        0x1c45ae7b090140dL,0x0323b8aa81c04a6L,0x0626ad1204e7fa8L,
        0x07064c773885e31L,0x1706e95501c181fL,0x10b25a38700186bL,
        0x05bbd085578a43fL,0x0e6b56ad2637874L,0x1b4c3541822c2beL,
        0x1d96e25ce892e32L,0x0f43236891471edL,0x1ec71a2d5f22371L,
        0x1bd8ace5622c84cL,0x13a5d0d807f600bL,0x01f52003e911f2bL },
      { 0x16debd0a595d0a3L,0x0bb65d7f859da6bL,0x153e6c6f6e5e9afL,
        0x0898e298e37e582L,0x021af66362b19abL,0x0a0f7b64df99dc9L,
        0x03db48f61f12632L,0x1824ab00987af3eL,0x16f1a10052a7acbL,
        0x0d5bcecaa829457L,0x1e9bc32345884d7L,0x16dbbcbc2053faeL,
        0x12f95da12b40508L,0x1ac545d0ecad607L,0x18323ee2182bdc5L,
        0x09a6816329906e2L,0x0a0a40e6c80ce00L,0x004fc150bb58a55L } },
    /* 63 */
    { { 0x0abe588c21366dcL,0x00527d7baed7cb0L,0x1f66b2e4fb51ca7L,
        0x1d0f42dae0e0a03L,0x18e7361bb97e744L,0x1aa679d217053d4L,
        0x041e06b36bfc8a2L,0x1cfe10f99776f7bL,0x1da6f3983663250L,
        0x16b49f75d783e04L,0x0bd30e32ebc55d9L,0x1c0fbf9533a0f37L,
        0x07f26d8dab5a984L,0x1f5d1b7cd5a6992L,0x0374859342f9c05L,
        0x09e066f773cca1dL,0x05a72aa4e24531cL,0x03be8f4c25ba9ecL },
      { 0x1373239d8e62367L,0x0c245dcc10678ecL,0x0d116a725f10cd8L,
        0x1c29f2c1f8018fcL,0x140474b59a0ec9aL,0x1032eae7a0f867bL,
        0x0184297bb7a3fb3L,0x0bb63bcb49d3d01L,0x117c44ae4ae0cf7L,
        0x1d2b191b58a4685L,0x09d03f4a7fcb70bL,0x17151196425cc9fL,
        0x0d6a863016c605eL,0x103da60bf963b8dL,0x1525e15b5844b9dL,
        0x1c1cbfd21d80e81L,0x1b0599be18be256L,0x0273755f6652a56L } },
    /* 64 */
    { { 0x10323d3fb99cfe6L,0x0de136499a0bc4aL,0x1905f2f7edbdec2L,
        0x09134eaec0c8223L,0x10919cb09114174L,0x15fe97a6319efc8L,
        0x18b6dc57f1f1ce5L,0x15919432a251956L,0x0306724734db81aL,
        0x13d1235da6262a5L,0x1a83eafc8a591b9L,0x0be3f4b6bae1aefL,
        0x05c2f192f35bed1L,0x1fb34856d2b436dL,0x0942df77b2b1ca9L,
        0x15a5e1895e54595L,0x056f44631c16049L,0x0192e93cb027678L },
      { 0x011fb554848c144L,0x11492db53d79977L,0x0384da783e69381L,
        0x0d94a7643c24b6dL,0x0e98ea1bad9bdaeL,0x17d1cafa86b02e1L,
        0x0cbd6f6e7854e7cL,0x1ae8ae1c65bd22aL,0x1810698ae46a250L,
        0x1ecaa3656cec8a2L,0x19dc8447a5e979fL,0x0faa493f05d357eL,
        0x099851df63ca29fL,0x18e871f2d4e29cdL,0x074ad5bf613552dL,
        0x012d5a3c08b3808L,0x1d3ceb3eb6efd80L,0x00cea42a371953cL } },
    /* 65 */
    { { 0x019ee8fb540f5e5L,0x152978273468bffL,0x16c2b6f721c61b4L,
        0x11a074ff91a4641L,0x08bcb916a83ad5aL,0x08f4202a5fc1e38L,
        0x1777c2484cfa8b9L,0x10779c7084996a5L,0x0d5c7be40310635L,
        0x0f5dcefa2c718bbL,0x0658e6f136aeff0L,0x1fc980ae4b515f6L,
        0x1484e1cd2436350L,0x00a2dc6f5625031L,0x120c8deb7dcc553L,
        0x04e40154dbb3d66L,0x1b0a3345c3dcbffL,0x00d9d67365a7229L },
      { 0x143e5e990a8bdc5L,0x1dfceb183504481L,0x08d63921483a880L,
        0x1dbcfa3a0d30913L,0x1f795d3fbd17debL,0x1d851fc7d7d36baL,
        0x1abea933ad8c0e1L,0x005c02cd665ffbbL,0x0a2fe20547e764eL,
        0x0d5cc127438f982L,0x14daee54bb11795L,0x0909521a4195457L,
        0x0775bcfb537b4c1L,0x14c16272a98cf9cL,0x00a4874d08e2929L,
        0x162fd4576c38f42L,0x0141e061b64db3aL,0x029c7619f0c9785L } },
    /* 66 */
    { { 0x13496fea19b56cfL,0x0bbfa3ddccd668cL,0x1ea15f42a20598fL,
        0x0410506bfb1e095L,0x1d82cec7cced3daL,0x004e42bf10fd76aL,
        0x08c1db85d6e67e0L,0x105b38dc6365a0bL,0x196948d4a81487dL,
        0x175e9f96a37b32aL,0x146aa1dcf331261L,0x1e45162c814d0d0L,
        0x0841a20b753e220L,0x08560537cf8371dL,0x0facfecb3fff97aL,
        0x1c593eb5363b51dL,0x0012587d9976e08L,0x037eb014c01f4faL },
      { 0x0709f8d8eb7516aL,0x0c53a5ee2cc55aaL,0x16621fa0073a0c1L,
        0x01a2f7152da469bL,0x0e90f6abfd0f9d9L,0x1f6aadd50f2a4fbL,
        0x13064925bfe0169L,0x0ea1b3ecaf4d84aL,0x03cdea49cb89625L,
        0x142d1f816ff93efL,0x039ff76e2f012edL,0x01ff30e46d6078aL,
        0x1dbb0d5055904ffL,0x10a5f46824a14c7L,0x0f4c358d2cce1b7L,
        0x1fbb2f5a69d38f8L,0x1c01f2b32bde159L,0x04267d11e63b0f2L } },
    /* 67 */
    { { 0x1bc11eb8b99b964L,0x006052c717e2389L,0x11275326952e38aL,
        0x057edc41f50e1f7L,0x17c88cfa37a334aL,0x0578ed772c1e86eL,
        0x1e2981780a6a3bdL,0x0c4daabc468185dL,0x161b6fdfe209e9bL,
        0x18ed6935dc70407L,0x0f058a4e4bf068eL,0x1fcc155c7e9cb5bL,
        0x1ac2bf4d5b02ac0L,0x01417f6946ccc00L,0x0b6ccfc8ccfe4ffL,
        0x0a5ce2db962196aL,0x18e09f90f84c557L,0x0143ea628e42506L },
      { 0x1a582010e9867daL,0x0c4d98d43a66d2fL,0x1f17ef7b88b9851L,
        0x0bcc257b5000bc4L,0x0d3635f9e357fefL,0x092d432706df6f9L,
        0x08b958af9c391bcL,0x1a3413731081b29L,0x17eb99a1528b5e5L,
        0x0dca0b73a88145aL,0x0dff5f81b4b3108L,0x0a2ffd41308a362L,
        0x06ffcecbd76fa1fL,0x0197a29f1dd0f4bL,0x09a3e875322692aL,
        0x12b460f63c55fd9L,0x013d0fb44534bd3L,0x0009951ee6c77cfL } },
    /* 68 */
    { { 0x13c7785576374c2L,0x09368c239382072L,0x17208a328113981L,
        0x05e39c2627140cdL,0x0deb0c5d1fe1c1bL,0x1fc137957764196L,
        0x096269d659a6672L,0x0a99a311d03bcefL,0x0e5ce0fe0118d12L,
        0x0a154c203c85c35L,0x1c10fce6b0a33a8L,0x05210fbcb009c51L,
        0x12f639a8c54eef8L,0x0c43bca7c1e18d9L,0x0c6ce475c11529dL,
        0x18f2b94c6baa031L,0x025cefea07631d9L,0x009e5f73b5b7c55L },
      { 0x1cabe0f8d3f34f3L,0x0e18e51b0bff1bcL,0x188f76509a86f6aL,
        0x0fe539220964dbdL,0x02c6cd3be9dd962L,0x1d10cb019f58b4fL,
        0x120f229cfd24bf2L,0x16f25c6fc1770b1L,0x0e4f2aca623b3fbL,
        0x080fd8f325f0051L,0x1e09aa523d91220L,0x0f6920e4c1cf234L,
        0x10e30bb83541406L,0x04cce0377bba552L,0x0821447e48b2a03L,
        0x009e0d70c6b7217L,0x167bf936b5c25faL,0x027050d6d701744L } },
    /* 69 */
    { { 0x0ca66708ba29c4dL,0x12067114c404a00L,0x099c5b769d4b020L,
        0x0b5777f468438b9L,0x1ed28b72689c0e4L,0x02b55a0ebaa2fe9L,
        0x075957c8846635fL,0x112967b1ee870ebL,0x093490dfb8fe50bL,
        0x120faebf4075d0bL,0x1697ade6b2d4dedL,0x092e183abcbcf61L,
        0x0da5da429aab6b1L,0x17b69792919c734L,0x0c3ce9f804310dcL,
        0x0117844de2da4caL,0x199efb0f7b6cbefL,0x0399f186ccfcce4L },
      { 0x0fe1582a42a38f9L,0x16ac723985a8076L,0x0a9f7a5dacb2bb0L,
        0x0b52d383765dc5eL,0x1cecdb4af0539dbL,0x14748118caa0b47L,
        0x1507fcbdcd22b9eL,0x0a43ab1af986242L,0x15d25b75c2202aeL,
        0x154cb2d7a041ad3L,0x0da9054a6d391b7L,0x16df7a4f5b367fdL,
        0x00261f900b5c97fL,0x026ad8cf6c3aaa6L,0x0866e72d0c0c764L,
        0x0179e67abd37196L,0x00c7a43d4923ee0L,0x02b7d659cdbcd2eL } },
    /* 70 */
    { { 0x19165a2a3018bfaL,0x035924ffd6cc200L,0x07d954d06a6c403L,
        0x0e4bb8999377e36L,0x0bfffe60e6bd1d9L,0x0a84d5a942876a9L,
        0x167c493a64b31f9L,0x091fed8a05c99d6L,0x02f0b35731aa7d1L,
        0x0860eeef3f1d523L,0x127d174450a203aL,0x1a4ccb7cbbab75dL,
        0x0e1febce13475cfL,0x004a169841d5d8aL,0x1fa0b21aae920a6L,
        0x0431a3c3646ba52L,0x0bbb771cdbe50d8L,0x0442cc9336ca6b6L },
      { 0x0847290155ccaf2L,0x0f5e3be2dbb9f04L,0x1746cb7423b619eL,
        0x1d0fa8ebb751165L,0x0694d02a960a180L,0x1fcf4b407edb5bbL,
        0x0db10fa1d6324fcL,0x0fb7b47edf495b0L,0x19400c58132fb38L,
        0x0d3c2a112a81007L,0x1f0d45ddbb3c609L,0x08dcacdb6b34552L,
        0x0026545eda03ebfL,0x07ba55a223a1d14L,0x12cfda7b45a7613L,
        0x0e32d7557263b11L,0x11970ae932cd825L,0x03cb9125350604bL } },
    /* 71 */
    { { 0x12923f8441f3567L,0x018b417125f8eb1L,0x09aedd9c7fff047L,
        0x0ef4bc3444972eeL,0x1addb417601746aL,0x0cdc2329eeef501L,
        0x1ffdd5e19e8f1fdL,0x1516025530ead9aL,0x01bd5fec9f19ba9L,
        0x081bcd17c1833a4L,0x0d1176ae301745dL,0x0836f207e854eecL,
        0x0da903e46d5d7f4L,0x16e89360e008b3aL,0x1156d006c74f136L,
        0x06add44ea5558c2L,0x12c4da42a68555cL,0x01ff84e0aec1042L },
      { 0x00a1bcef9cb7784L,0x09cde12117982a6L,0x07f431052a9ebb1L,
        0x19ffa85788be81fL,0x0f358e15d3aa316L,0x113b41217ad2619L,
        0x1b3b802f7367b5bL,0x0ba0d3ef13ff14bL,0x18078018e05e14fL,
        0x1d9f249c5a063a0L,0x123075e45fdcb4aL,0x0cc998ae2a18bb7L,
        0x1ac3fa8920e0eeaL,0x0e3cb8b2512f662L,0x12b45acf086c3d4L,
        0x03b351e1345e4c6L,0x04c8e730fc55839L,0x023f78c02a7efd7L } },
    /* 72 */
    { { 0x165f3d13da285e4L,0x0a6dd1d00f1fa4cL,0x04e984852b42e9fL,
        0x0a4472ea928e708L,0x1a730b92d3b7d53L,0x168b2ed29edee7aL,
        0x1fbd0c4c364acccL,0x16c89450a8305f2L,0x1bf62221c44dce1L,
        0x1d09c2c3f150764L,0x0cb2372feb6662eL,0x1e7f6bfda89667eL,
        0x05c66217bb409e5L,0x1e6fb8d4ae19463L,0x0481e22c036da7fL,
        0x08c974478544371L,0x061f8ab28e63ae6L,0x00d35b74e5c6f04L },
      { 0x16ec2b606af77aaL,0x07ae6d443f832d7L,0x10027d263158b98L,
        0x13f9755e970fa42L,0x071ab855db595b5L,0x1a4d8607dac9509L,
        0x032728338439750L,0x1b73ac30fb110fbL,0x103ee95f9154bd6L,
        0x1f29909ae8364ccL,0x1ef0c3eda993423L,0x1e1acd4996c1e94L,
        0x0f5d37367c3d22aL,0x0cbec72a8b4a967L,0x05ccb41bc3a9cd2L,
        0x07285688f8e1ee6L,0x1d000ab3034a9cbL,0x03cee80c0142887L } },
    /* 73 */
    { { 0x0e0033a3ac7424eL,0x15b44307ed26802L,0x1d9af2ddcbef6c1L,
        0x17e52f9b4846d52L,0x1b013c6e294a8e2L,0x11d1d6a58555c2eL,
        0x129acf4abb2621cL,0x13c195c659a2790L,0x021888f5e70ec16L,
        0x1cb19dea1544131L,0x11e4b9ed8366e1cL,0x0e4420ed3fc2d15L,
        0x06d24bed3489f2bL,0x11f59255479fe7fL,0x131c1af4d7bee22L,
        0x19c1bbbd9f47e90L,0x0367cc119a9929eL,0x043f2d6a2c6a02aL },
      { 0x099aa9d7d1000a7L,0x057fe57411c19ddL,0x18a37ee0f7162e5L,
        0x0308b4831b90452L,0x1d4170542f59fe1L,0x1b8ac0d45cb87c2L,
        0x1745e24630995caL,0x181c9de8efb81a3L,0x1b50b4cf33afad7L,
        0x0dd753c80c3852dL,0x021fe6ece8a1a08L,0x063c2494b39b8eeL,
        0x0f57f4323978575L,0x00b264a576ba613L,0x052fdd357d6b894L,
        0x1d464cc116fc5e1L,0x045f4cdb5bafdceL,0x005b8928ccc8660L } },
    /* 74 */
    { { 0x0290ca188d5c64dL,0x16ba4d3a4929a2dL,0x14f4a803a494165L,
        0x1995ef6cd740961L,0x0cdded83082cd02L,0x18b2374895a8617L,
        0x1fe5604f3a77bfcL,0x02ac55ce18f8ebfL,0x16f6852e07e2a46L,
        0x107ebe801c027e8L,0x0a93760863a364cL,0x0df75f8c8baf634L,
        0x01e8d9fdbe4918aL,0x02385b777d8407dL,0x05d3bdccf534229L,
        0x1cba5a57440eedbL,0x16d8ecb95a769daL,0x03d1fa11d3eb4acL },
      { 0x02d2ca69a929387L,0x1bac0e58e0fff9bL,0x127df946db2eaf6L,
        0x04749c263fb125dL,0x1bd87561ee8d863L,0x13f399234071f8aL,
        0x1fbfb8e965f8753L,0x016798e56f8ab03L,0x1f3e77f8aca8caeL,
        0x063ebee2f17ea57L,0x09154884d56de7fL,0x09e54580e2efba7L,
        0x0d0689621f546b2L,0x1fbc0b1f20ada99L,0x15fb484afa6bd44L,
        0x052864fac773667L,0x0f4ab019ef29680L,0x016d2fe2a8b11fdL } },
    /* 75 */
    { { 0x0429cf3c8a5c600L,0x006111ff19f3e31L,0x1d00295f772e9eaL,
        0x1b24b618e93ffb4L,0x0b100eb0d1ae156L,0x0a1e4084bd21fcbL,
        0x13c905a7a5173beL,0x06743ee69ca2251L,0x004387c4a419f01L,
        0x003c34580822012L,0x05aafe40d673cb0L,0x1fdc8f1aa9c7ca8L,
        0x0642a2173ef9c76L,0x0ff180a0b310cedL,0x1bc91f98780c55aL,
        0x0cb2541feb9c727L,0x0d3811792ba072bL,0x042af810cb8642aL },
      { 0x1fbfb6c847314c4L,0x030aaf5a2dcb530L,0x0519ae8abeb25e4L,
        0x0b57292f02e205cL,0x0110c4feed51f97L,0x1abb33ce97ad8beL,
        0x1139deb2339c2bfL,0x18fce6cd442dd64L,0x0dd1bbcec551c65L,
        0x092830570d42cefL,0x1205d22e9f4b9edL,0x0a83571d5188f40L,
        0x036fdff078e1a2cL,0x0a43a582373c126L,0x0c7dccde6d27f1cL,
        0x1cd9e455c66fe0dL,0x1971c3521926f8fL,0x014911b67a92e83L } },
    /* 76 */
    { { 0x1b8d80a7d8b29dcL,0x110120475324566L,0x117aba4afa4745eL,
        0x11fb4e5f78fb625L,0x1e760c6f1f347d1L,0x11c6c8889ba5a04L,
        0x107d1cd87a3c763L,0x09cee297d3ae735L,0x1c1f9701cb4df5cL,
        0x089c76c37b96570L,0x1f87ddab4603136L,0x0b7d3c5b7f3838fL,
        0x097c70c44df8c18L,0x1868adafc1aed93L,0x199517be65f3faaL,
        0x09cbca20288b4c3L,0x1aa16b068842518L,0x03e7d61acba90f3L },
      { 0x11821673c0bc53aL,0x0f6f1bf3a89b3c0L,0x17f68d95e86212dL,
        0x09743fbb307944aL,0x05da77d8096abbfL,0x19a162ce741b4feL,
        0x167c7c9ee6b9eaaL,0x1d20d9237ad2e40L,0x0ee0dab30914ecfL,
        0x1b23fddc9fa9f89L,0x0e29ebfe95f83aeL,0x0ddf3e55ac0e618L,
        0x07bb99dcc9517d0L,0x02304050a4b946cL,0x0e705f6c00d2bc5L,
        0x045419902187e25L,0x0bd7225f14f772aL,0x03671ee3f8eefc1L } },
    /* 77 */
    { { 0x07cd835a4397830L,0x094867a39998360L,0x0ea0a6627a31376L,
        0x12ac7b02a5ba6baL,0x087de61b7990255L,0x1271ae793c6c88fL,
        0x0396671cd031c40L,0x1425a8888c2941aL,0x163e7608ff32626L,
        0x13d1bf4e264dd54L,0x1b7145dbfff4958L,0x1f919de5439a18aL,
        0x16efc559d9cb6deL,0x020e5b4965e606aL,0x0587827917cff14L,
        0x0ab399a0b8473caL,0x16d2a731ee95c3bL,0x0428a889151e850L },
      { 0x02d033586ff19e2L,0x106d50ed14301bcL,0x13f955f1fbb70b1L,
        0x083789d16165cf1L,0x1df35c67a8f6f98L,0x122315660fcda59L,
        0x182c25b84d80d1dL,0x0ad7f22172ef8f5L,0x127c7f305514359L,
        0x0a6d8ae7b18f572L,0x158509f9a6cd330L,0x10a2bf825fe54a3L,
        0x13fb887162dec82L,0x0f0a445efe67570L,0x18f9d3368ccab07L,
        0x00d394406e9c45dL,0x004597ea1a1f0aeL,0x04588acf93bdef6L } },
    /* 78 */
    { { 0x0f71a442f961d30L,0x0b4543d639247a5L,0x01f2c6a41b36f7eL,
        0x0c0957f24ba65bfL,0x19f04d4c00c10e2L,0x0b82ed5c388bacdL,
        0x02124035539824eL,0x0ebeeb0e86793f0L,0x02e9abade6a7a23L,
        0x13b6a3c4a560bd6L,0x01496f080b66715L,0x195b57f5ce7a994L,
        0x183405991b95b8bL,0x02c54ce191b8f69L,0x1e32198ada791e9L,
        0x058f8f958163056L,0x0596ceaa79be023L,0x005ec3219ac47baL },
      { 0x0a1a8b47e734189L,0x0d64467f2fd0befL,0x1538450dd9914b1L,
        0x115f3d2ea088949L,0x130c6b3bc252230L,0x16fa3bbc58e861eL,
        0x0375cbb6b97c131L,0x068a6263b345dd1L,0x0c4e380eeacc93eL,
        0x04cd8d6546d8747L,0x123059fd75275f5L,0x04ae2aad99aeee6L,
        0x0c2611d13dc9663L,0x1ad17ee632e7074L,0x163ea84b257f99aL,
        0x059304cd310650cL,0x107da87d1f431c3L,0x0233282cc7e6c8cL } },
    /* 79 */
    { { 0x06c13cc6b4a5efaL,0x0cc4d8e83d932a6L,0x1b3a2f71a703120L,
        0x04584a63a82172cL,0x0ad0a100f54cfaaL,0x0ed224e5af8c046L,
        0x00f32fad494e3b9L,0x0f14c48010b7dbbL,0x1e792dacfd6255cL,
        0x01b8c83103102c7L,0x057a0fb45963062L,0x164efa51aa852ccL,
        0x1b83b75df34b549L,0x0bfddca1757893eL,0x1df24c13d837db4L,
        0x0f13fa10c63b7edL,0x00c17c38f986018L,0x00621aba55cd494L },
      { 0x0eb324c1d20cad0L,0x16584c63088453bL,0x0e71bc1b4db6437L,
        0x15781b432f4dd3aL,0x107ac5ce6cd978bL,0x04bf5aaca458e02L,
        0x0538caf51c59315L,0x0785538981e9ab2L,0x0772c5046a759f0L,
        0x1eb994534d6423fL,0x15f430c122ccc39L,0x09c081ef759d51aL,
        0x13a85f1790e6003L,0x0e42cb9b411ec8cL,0x078408a9ba6d9b1L,
        0x07f48459458f4cfL,0x1b900e7a19c0902L,0x01924ccf893936aL } },
    /* 80 */
    { { 0x07eaed67c834915L,0x1d5355e2f5b26b3L,0x12d8975880467ddL,
        0x04d33fb384e53d7L,0x0b8d4f6c0aee24fL,0x04bb6b70f5ac3a1L,
        0x1a995fc49c43053L,0x0c92272066bedb3L,0x1668b704906b500L,
        0x0cb4d07043b7727L,0x06fcfcbe764d819L,0x0ca36933c79df20L,
        0x1bf2dbcaaafb1a8L,0x0b9d835b405ca9fL,0x1cdb190c4b3159aL,
        0x1b02a6a69b38675L,0x191e4463a5210ffL,0x02bf515a5f8c615L },
      { 0x0f5e1628aa0f2f2L,0x13ae287235e5500L,0x1e6a928b10b631fL,
        0x14297544052f568L,0x0943cc2eb4f308eL,0x0ac4025480de8a3L,
        0x03df2ec497fbbbbL,0x038ca0591f33a30L,0x1e53539191580c6L,
        0x113c03493880f71L,0x090287ea9c9c5dfL,0x1c0498eb62a6f41L,
        0x0b538f1c2232edcL,0x1f183e976d11b30L,0x0bb82d135447a62L,
        0x1e60e484edc8137L,0x1c9a78c39277ff1L,0x0302405a3753c9aL } },
    /* 81 */
    { { 0x1087d663872ece3L,0x0df3ecaadb87c18L,0x1f1e73e56ee17caL,
        0x1bb7ff4c436a169L,0x0022ba5dbae3b58L,0x00a24e0730e9407L,
        0x15215e2b9445d06L,0x01c162650819eaaL,0x1800ed1b6b8ce0bL,
        0x0effeeabc6aef1eL,0x108dd1a695ad1cdL,0x06d31b2215cfefcL,
        0x006313c7c7d5e32L,0x1496f4f2db7fa95L,0x08442ed68bf8836L,
        0x0de4683668fa7a2L,0x0ccc5905edb40c1L,0x003ba5069cd47c4L },
      { 0x0e181abe3b6c106L,0x10b1fc6f0a85b9dL,0x00bdbcd520d93afL,
        0x06758f582d9eeb7L,0x091722afaa0d206L,0x0a2aa9ae3403341L,
        0x18fddce50798445L,0x1b42e24fc717ebbL,0x132cfdf031afb41L,
        0x1449e48c3de4331L,0x119d1298b272671L,0x1c5b2c58328eea0L,
        0x1f378cdf4c96866L,0x1a03fd19244f646L,0x04a4344e981c26cL,
        0x044e7a6fa42b2aaL,0x14b9623d303bab9L,0x0040a8caa121900L } },
    /* 82 */
    { { 0x1236d89fb7b2108L,0x041e656bafcd57cL,0x0c56d3876844fb3L,
        0x1e062b86c5ef8e5L,0x1272fe3f552aeaeL,0x021f7408f0a076fL,
        0x0c96e675e6fda1eL,0x0e99cd6a9fa3b37L,0x1b20b0e215b1badL,
        0x05010a7adc26486L,0x0efd4bf29b3b255L,0x091b3c9beede8b3L,
        0x0ed64cf17ee363cL,0x1b156d241822fc2L,0x1d32806100a859fL,
        0x1885a593c37e6d4L,0x074e8cf9d41f691L,0x02d5f90bc61625cL },
      { 0x177966bf3b3bccdL,0x1f0785f1f065523L,0x0ece31f5410c011L,
        0x1f28dfabf997070L,0x09ec0e87e77e3baL,0x10c692bcdd53c2fL,
        0x1f3fb60f155f322L,0x0c3372dcb5e4b7dL,0x14f05d15e98c71bL,
        0x00fcc8d3bf316d0L,0x1b1e072ea8e0842L,0x0cbbca9b37f638dL,
        0x1344ed14307522fL,0x0ae57eed7ae82abL,0x1e3d6fcc0d6cc7eL,
        0x173b28fccfe86c6L,0x048029f7cad5270L,0x00ad68ac3a6c8b5L } },
    /* 83 */
    { { 0x0de2eceaa588ae4L,0x15e2c51b8d11900L,0x04d1c48c111154bL,
        0x1bc963065ba01d5L,0x1689e843afbfa67L,0x1a71741490b1a0dL,
        0x077147e5aeef587L,0x1a32a840d080985L,0x0c7fe382742317fL,
        0x050576331a418b1L,0x0e53441c00613f8L,0x12e7fc3f7b0bf85L,
        0x11fb07435207219L,0x023729c93245b55L,0x1e95bfc8eef6ab7L,
        0x04bec1b71ba3e01L,0x163104815eb8667L,0x01fce266529740cL },
      { 0x136b29732ce637eL,0x0af96fae92e6effL,0x14b62c0ab65e068L,
        0x199f7567d2343a0L,0x014eeb752e5f3bbL,0x0d3c9d306965ebbL,
        0x085135124610f35L,0x0cc44859eeb9b74L,0x0a20705e788b997L,
        0x0709660763bf099L,0x0537dad86a6c159L,0x1e08e904b6b5638L,
        0x013da312238fd97L,0x06986386cab0241L,0x04bb9a779219c9dL,
        0x1127b79571e2a38L,0x14b5dc638b4668dL,0x0323ced6b111fabL } },
    /* 84 */
    { { 0x09044f3b05f2b26L,0x114a5405cfbb62bL,0x18a10a43dabacd6L,
        0x0604d4b0ef1073fL,0x0e5ff9c3761cfb2L,0x08e2bb3b44935b1L,
        0x0fbfaeb9b34802cL,0x075b90aeeace540L,0x00cae074ae1bad6L,
        0x1f248d0eb84ecceL,0x177b5994076704fL,0x19438655dfeeed8L,
        0x15c57683e81da6eL,0x0fcc6c23a8424eaL,0x166959278e4ba73L,
        0x13165f5af305ec9L,0x097f7c3bdb7a37bL,0x00ff04fca784302L },
      { 0x1a7eaae7648cc63L,0x11288b3e7d38a24L,0x08f194fd15644faL,
        0x170342dd0df9172L,0x1c864674d957619L,0x0b2ccd063f40259L,
        0x08ca3f2204d2858L,0x13c6cdd52d214caL,0x1415329604bc902L,
        0x1cf0cca57155695L,0x0a3149fc42fbd7bL,0x0b0d8cf7f0c13c5L,
        0x1a844cc25d73dcbL,0x1a759b29fb0d21fL,0x0903c0b5d39fba9L,
        0x17969e66ace0dbaL,0x06aeec7694cfd83L,0x026f4abc36db129L } },
    /* 85 */
    { { 0x067d3153deac2f7L,0x03bc55b0ecd4724L,0x1e582adecb56821L,
        0x0d9fbe9ef3e76edL,0x11ab8f4b00b3005L,0x1bce80e8380f0a9L,
        0x14dc41fe5235671L,0x180f9329d7904ceL,0x01104d4ee48bad4L,
        0x0c6705adfe4e82cL,0x0a2634c27ea02deL,0x044b59667d5f8f9L,
        0x1c5b2f31750244fL,0x126bdf1a6a8f46fL,0x080ad0cf926e9aeL,
        0x04eb42ec1e98f7bL,0x00c37e36a7e4435L,0x00e4a20c5f31b4cL },
      { 0x1a2131309dc1414L,0x1b2fe21e49a9ba1L,0x01eb7d7de738181L,
        0x150ba99f94dfe64L,0x03e995ab6f18b1fL,0x1598017ae213973L,
        0x1fc5848682792a0L,0x04d056cba372e28L,0x04993c20c20a7feL,
        0x0e4e5cc7338b393L,0x0b59cffad102826L,0x13c24a36978ab40L,
        0x14a05338ea3f3faL,0x1d84fb65baede23L,0x10d1824f2d0112dL,
        0x1d584cecfb43100L,0x1ba97851422098cL,0x0308dfdd95aa91aL } },
    /* 86 */
    { { 0x1baa55ef00ad2a1L,0x1d42f0a51486bdeL,0x1da3a4ac5a50a7bL,
        0x1a23d9026076948L,0x08bd27b267111bcL,0x101e0307212b814L,
        0x0212bca33ca8f66L,0x04176f91a5be631L,0x1e2ea1462e3aaebL,
        0x1a9ac0221dc2ebbL,0x191209553ba6f4cL,0x1d3dcd54331f03dL,
        0x04c26c5944eb2eeL,0x01558b3e3d2d540L,0x1f8869683bcb696L,
        0x0531cb45568ec05L,0x08d169cb3b83370L,0x0437362a20759d5L },
      { 0x1e033210b793d9bL,0x1d6f08eedaf6776L,0x0a49a24c2d93de7L,
        0x1bfc9fa365ee7fbL,0x12a4dc8806aad97L,0x0bb6ba839d2d8ecL,
        0x09b022be32f62f2L,0x00cc1695762c79cL,0x19c8300a9dcb1fbL,
        0x1ad2ca66d4ad9e9L,0x1f5f52cdfab21ccL,0x174441ddf5563f2L,
        0x06f3e828c8a3d2eL,0x02d5bbc0992c648L,0x0a2d85f20c985beL,
        0x1705ae4b2e32518L,0x06dcd7196bc3233L,0x041c33f5c8cfd09L } },
    /* 87 */
    { { 0x14fe73e22474edbL,0x131ca0d4270d73bL,0x06b671b75b8ca9dL,
        0x0a29f17eba4e065L,0x12267b9000c4a41L,0x0927d71e71751beL,
        0x06de049d4c05447L,0x00cf829b0a84c74L,0x020c8401b1ae0b2L,
        0x195008d840fa4feL,0x048fee5671b7e3cL,0x18f9001c3a0c3d0L,
        0x1824259a9aa328dL,0x1bf7b61bac3b51bL,0x0f5327c8eb6a2d6L,
        0x0713e047ed6dd52L,0x19e89f5414dffb6L,0x025935dd1731459L },
      { 0x10b1cb45d318454L,0x1ba4feba1b65b69L,0x1c995a29d18448eL,
        0x063909fa3c62218L,0x08403d55c85de12L,0x0fd5fc52fc6b730L,
        0x17380e56db84e6cL,0x021fcdad18679fdL,0x11d90381f94b911L,
        0x054754096e6375bL,0x00104dfa4328afcL,0x180f9144b8b4b3dL,
        0x1a5d84663cbeb5fL,0x0885b53e004e129L,0x023e35402c541ceL,
        0x03ccb0c0fb49882L,0x1c602c3d9c3cb90L,0x026b4bde2964b0aL } },
    /* 88 */
    { { 0x0db1ef0efa8fb40L,0x10e2dadd1cc4e70L,0x0c560274677ca40L,
        0x06982433c351adfL,0x14ef05e26b787b7L,0x0bcb71320bf0b40L,
        0x1086d124d0b6e3eL,0x06c5f0f14bd7f08L,0x1e71916d7e94a45L,
        0x00c5dd1d708cb49L,0x1d2fa55da2013a6L,0x0e99f0849f15d8cL,
        0x1d466ce6ab0a260L,0x049003c5ede49dcL,0x1c3c68ecfc56a63L,
        0x10b4f3a21fa1a70L,0x180a61241d9e4e7L,0x03b6543d0f36466L },
      { 0x157fb56e02e48b7L,0x0a589e604f4e321L,0x10d4901a73c3ef4L,
        0x1858760353b6be4L,0x06956dadf878165L,0x0b05b472a4f3e27L,
        0x1194fcbfa54e2efL,0x1372a5f0ad60b3bL,0x0d3f60225b377feL,
        0x10639945ff48462L,0x0a8b4ef23d7cb5aL,0x08864884a0a19cdL,
        0x0a3d3b3ce5f7213L,0x00b3ba890bf0933L,0x1ee2529d6d790ffL,
        0x1c6ea2b24e0c46fL,0x1be152607532be3L,0x013f3f96336d1dbL } },
    /* 89 */
    { { 0x18f65ade6a15883L,0x1f3463357ed99b1L,0x1aaf4fc4b797529L,
        0x006f70f020c40f6L,0x04acf6d31c6ff95L,0x1f3c61606a26593L,
        0x0603858eb1807caL,0x13638c798b42c6dL,0x03e92cfe895c934L,
        0x19c706c20f63910L,0x075d90b57ea585dL,0x0d8387c051d2c2dL,
        0x06b16d54092aa77L,0x1836fa6cc9ee2b2L,0x071ae5e82c9fed5L,
        0x0be813d3222e19dL,0x128ea8e42be53c8L,0x00174b21bc19232L },
      { 0x1540addae78ea1fL,0x0dba6bdb3874b48L,0x1107dc01a099468L,
        0x14faea418ff326cL,0x09ce12e18f97d6eL,0x1041a107d535013L,
        0x110d89642b2a1e4L,0x11ef49070c6eac2L,0x007c6149ef38140L,
        0x19dfac26bc29a03L,0x06c0426aeedbddcL,0x093fea5141350ecL,
        0x182e00ae3ce4eb2L,0x10bc77fd043c0f6L,0x144e9fa19306c94L,
        0x00c5f983cc5453aL,0x07dedb8b94e1919L,0x039cfa9ed278b29L } },
    /* 90 */
    { { 0x05f4a88924adc5fL,0x0360b540c7ab6bdL,0x04a5de57e552559L,
        0x1ba338a8001d892L,0x005912b42b48753L,0x1d24a30b7d11b59L,
        0x14199acf597cfa1L,0x0814e2e940208bfL,0x1b635031312a5e1L,
        0x1ce25a254b5c311L,0x0e75966ac00f569L,0x018c704de634f46L,
        0x0c6f7090cdc72f3L,0x08375f125a739c8L,0x091416966b1b0daL,
        0x08274734fe0db77L,0x084839991e1c58cL,0x0010611ffd10707L },
      { 0x00e4adaafc74661L,0x1e7b193bfe03289L,0x13dadb739e64deeL,
        0x06f62c374282093L,0x09610fb25b8d6b5L,0x0ef3b49110c218dL,
        0x018c37a7b27477fL,0x097a657f49a85b0L,0x13885702a6244dfL,
        0x0f6e8f6a2ac96fdL,0x17d16fed3806e33L,0x1da50dc42b601c3L,
        0x076a937e6a8f4bdL,0x00987b91c049aa4L,0x0a087e10549e2eaL,
        0x09f158db88d2471L,0x0ef2207b119fd8bL,0x03b73dfa9fc934eL } },
    /* 91 */
    { { 0x112842827ebd187L,0x19055db2d56ddafL,0x1969c8961a5634cL,
        0x131e130d576084eL,0x0ebff503da3f33fL,0x0fb8d2a08c03d3dL,
        0x1c92c971ddb2a09L,0x16981bcf7dbfefbL,0x1da8b0f42165f1fL,
        0x19ffb9bb98f9d71L,0x075f9c64f829497L,0x15476d67748c99aL,
        0x17aa1f37828df84L,0x13b99d63dd425c4L,0x0606885b9e58333L,
        0x101da9a8dad56a1L,0x1091ec12c257cbbL,0x03cf3d69395cb77L },
      { 0x0d970dc8f30caaeL,0x15e7885375f7a1eL,0x18fb1c5185b6172L,
        0x16a33c7530c7830L,0x04cb13d61c50db0L,0x0a3db4f9cdc4b1bL,
        0x0c3337d9f607c89L,0x16ee2af5773acfbL,0x0ccca25ba889491L,
        0x144903e3d13f06eL,0x1a3ef83f50ca07dL,0x1ee6ae41d812695L,
        0x09cdfd7beda5d91L,0x0501cf19597b0c8L,0x0363f707b0408c9L,
        0x000bba787acbdb6L,0x09432c916c84fe5L,0x03fc61bd62605f5L } },
    /* 92 */
    { { 0x1ec1e5443ac05e5L,0x126d266c69c1299L,0x102e22fe78af692L,
        0x016a7023b90db11L,0x03c3aba434d71ddL,0x0b08df32a820695L,
        0x13e80af102526d8L,0x186385a84dc4f34L,0x0535a5aa23b065aL,
        0x1545197e2975448L,0x17b29e7f76b48b6L,0x0bfa556764deb4bL,
        0x1bf37cd81e911f0L,0x0868b5c62ed673eL,0x1d625383839139eL,
        0x14e9e2bcd15dbc9L,0x02fafe04999fc92L,0x00ebb81d54b873eL },
      { 0x0a4c81d3f0062a9L,0x1595c6cb5105d54L,0x037e192f44078c7L,
        0x0488276c28cdbb3L,0x09a555f8ba05f59L,0x05a968a8d33d06fL,
        0x0ac8eb30bc25cb9L,0x03756bb55d8e309L,0x0ce08b43e7c7f69L,
        0x1072985bb6213faL,0x1481a7908faf714L,0x13d069be299cfa6L,
        0x15446305ac6b5e3L,0x1f1a66e09ee5f94L,0x07d6beda0b2cb87L,
        0x12df3a9588ba222L,0x071c5ef63cd47f2L,0x00516207649e104L } },
    /* 93 */
    { { 0x1bc384faf5747dbL,0x0b04360355c3584L,0x00ba79f0551ceebL,
        0x02ab2ef57f480d1L,0x1a81deb02d5326dL,0x05b088831d4d02eL,
        0x1ae426a1b929d49L,0x1742805f0f49565L,0x17d0721d4d5c600L,
        0x117ecd4f944fedfL,0x1399b7b379bc1c6L,0x04efb573f4e7ebbL,
        0x1f6c474bab62171L,0x1b776819b696e24L,0x0a0974f7005f87dL,
        0x0bc8772e2eb809bL,0x07e6c297e3d54b0L,0x0177da2a32b64e4L },
      { 0x0712b008b21c064L,0x17f212538314f52L,0x0d026dd3c2bf461L,
        0x06fd93cc52c86b6L,0x04c60d086965aa4L,0x182bd56ed0a339eL,
        0x1bd802d9599c2fcL,0x02cfe0bd08079d0L,0x0c05073a904401aL,
        0x158f31c14a7303fL,0x00c949a73dc1185L,0x0837d19cfa7440fL,
        0x137577053d29411L,0x05533186e9c56c6L,0x1410d436e9a3ecfL,
        0x0ec17d97d5fe3d2L,0x1e49f5166d51d2dL,0x019ba9967231448L } },
    /* 94 */
    { { 0x11118533a00bb9bL,0x1fdd722fb33429fL,0x0a1752bb8934b4bL,
        0x1606830add35c23L,0x0731349f18ba1e1L,0x0b8adad4d640bc1L,
        0x14bab04f7f52951L,0x14f4bee8478bb55L,0x130a483b9535b76L,
        0x174d6d27fc39f4dL,0x18b611c8e841564L,0x12f71db589c02acL,
        0x1a39d8fa70b9354L,0x0068ac4fb0db220L,0x0817c2855075d59L,
        0x11210c532846fe1L,0x0bffd8b00346bb2L,0x00c9515aeea6699L },
      { 0x1576628365ced07L,0x1997d82ef0e8fb1L,0x06f2fd029ea80a7L,
        0x11376a148eda2f7L,0x195a62781b1b2a0L,0x07e0cdc9c4d5ddbL,
        0x01ce54b3fd83ecdL,0x1ade757292470fbL,0x0a8f053e66920ccL,
        0x1796ea5b1d4da78L,0x03b78547a084a4fL,0x181610717f43356L,
        0x0c9ffc11beafba0L,0x0ae6043c15ead3dL,0x10bc318162ff656L,
        0x06374d0da9147f1L,0x068c33abaaf1d9bL,0x0319711449de061L } },
    /* 95 */
    { { 0x0851d2015a1cccaL,0x114863f2915e18eL,0x155463aac14d3bfL,
        0x0f790bc42e16e83L,0x01cf8b29ae65619L,0x0a423c57098a0f0L,
        0x162b8b8b2d64d9aL,0x111d6af761f8637L,0x0decef5d6c264e7L,
        0x1d42b664e5cb6c3L,0x05a04c9e460f69bL,0x1040707af2d45b6L,
        0x1f1d0c6fedf03f3L,0x05355ecdac522b7L,0x1e5bc6495626016L,
        0x13d4e673ea58b07L,0x145cf6ded8fda7eL,0x03461ece0ae8e66L },
      { 0x1e26265e6b392b7L,0x0ecdfbbaeca84b3L,0x13535d9453df3b0L,
        0x041bce5c39c2d57L,0x1adfb033d86f59bL,0x122be6533721e68L,
        0x16a8b6cd10d0017L,0x0636cf4f22cad03L,0x1c32e7babf01147L,
        0x137f0b769d8f4b0L,0x18a63bd8f49b981L,0x1bb0a835badb249L,
        0x1f9982f9719bea0L,0x02f83b5677ca806L,0x0f4e5ad721db98fL,
        0x0e8f4abc255cb64L,0x0a509efbb362ec6L,0x047902af7119943L } },
    /* 96 */
    { { 0x04ab9e3b82c1af0L,0x0f4f3f965713225L,0x10298061f51bf19L,
        0x0bc72766c69fd55L,0x019bacce27d3f33L,0x153308ce4fbe004L,
        0x0ba54fdd062d6e2L,0x113ff528aae6e55L,0x0937d78048db385L,
        0x086436fb78fde0eL,0x1af6268bc2833b4L,0x1f446ce873d6915L,
        0x0b3f17d2d8ae5d5L,0x008ecc4a081d350L,0x02d9e8bc8cfda29L,
        0x17e0cffd9d16643L,0x02e0422540f2319L,0x0094964649a0699L },
      { 0x1eb55870386463dL,0x1e15901b8ecbffaL,0x15c42e06716b52eL,
        0x0d9e095a82366c8L,0x06939ec10cbb42dL,0x0c23f3aec0ce3b3L,
        0x0cb921d16b04e80L,0x1009ee0960438e4L,0x12c9e58a0acb057L,
        0x091dc59dab0f14aL,0x137c01e7e6e8d65L,0x1f843d552c50670L,
        0x0f8aea2b9078231L,0x1868e131d17562aL,0x0ce400201d7b5dcL,
        0x0527559689dabf6L,0x16492546ac2f011L,0x03e3c3b15f5c10bL } },
    /* 97 */
    { { 0x0f7d6fb067902b6L,0x11d21e8b9acc05cL,0x0c4965d07776ca0L,
        0x0e8067f2b80c59fL,0x08589b8c6e391b0L,0x1148791c18e851bL,
        0x07ceb8d1d352548L,0x0729b5629ac445cL,0x18f00fcde53f08dL,
        0x0cc8bd7383f947aL,0x0a82e81a3981f15L,0x07cfafc3f0482cdL,
        0x004d6a328f60271L,0x0c4866953e12aaaL,0x082c82834b8c992L,
        0x1c139e440f289d9L,0x01d5c98dc0752f4L,0x034a01a826c26f4L },
      { 0x0b7b366e5407206L,0x1aa6786c47d467cL,0x1523dc9cb9bc7b3L,
        0x05035688d0dfdfcL,0x0e474408d653137L,0x0839bfa965af872L,
        0x141c67909ace992L,0x15e4aed83369301L,0x191f346280f272cL,
        0x0730527a34798e4L,0x1a8ca642113625eL,0x001972a2b0570eeL,
        0x0514b1adbf8a557L,0x1de9a1f7d58d79bL,0x1607cd08baffe4bL,
        0x061c265f3f6036fL,0x146ad850e06ba6bL,0x036d4f013de2fcaL } },
    /* 98 */
    { { 0x1eee4c25c9490ceL,0x1625186fb41c090L,0x1f8292a4da3aa5bL,
        0x149784c5e7cd8c0L,0x060c34ffd8b0492L,0x0f99e6842351082L,
        0x1d84bdffde990a3L,0x002218aa0884304L,0x09d25fce9149bcdL,
        0x12b08e6e7e309eeL,0x1dfa225fd47395cL,0x1e629d18116a2b3L,
        0x1575e7538f3fa3bL,0x08e42010750ab08L,0x00ab42b4782a546L,
        0x11cbe1a44d1759eL,0x112a04c6ac4058bL,0x03b9da05cd9a8acL },
      { 0x0ff2cdc3631cfd2L,0x06169c03b9bde00L,0x05a8ce2949c0531L,
        0x1b665957bdac00cL,0x070b17cad0e3306L,0x19a9f719b39c755L,
        0x0eb4fcbd2aa35e7L,0x1c0e25ed5b2aedeL,0x0e427985289b2bcL,
        0x0ec7ca6ed496518L,0x0751d76124b7641L,0x0b949a2bc97b312L,
        0x0b254eabbd3e06aL,0x0076a89e2392ea7L,0x1eab9b0c4e52b3bL,
        0x1a26efc1f30b377L,0x175dc125546833fL,0x0095a31c2e2b627L } },
    /* 99 */
    { { 0x10dbebd932951deL,0x0cea12d534e4a40L,0x1013b2cbc2365a5L,
        0x1844a17058bf893L,0x1aec4e1dac74f0cL,0x04cd66cb521cd29L,
        0x0cebf0cf2ae6a41L,0x1165f99bccca9b3L,0x0f4af285c3863aeL,
        0x1b99b9f237f5fc4L,0x159cb0f26adfb48L,0x0261fc240418ea3L,
        0x0f52f3e56ec1c51L,0x12532540d6c1201L,0x1c58fc8d226adeaL,
        0x0662e143f6cc3b3L,0x01717c69be10e55L,0x030e0c9af3ec46aL },
      { 0x0722d9b3492ae43L,0x04eca829c782d17L,0x1620802aad8c7beL,
        0x01d749622f5cefcL,0x1a461cb82872c12L,0x09c7932e1219641L,
        0x1f700c56cd0d32eL,0x11a0b7e558b1898L,0x0d2e501dd596b37L,
        0x028364fe5c48618L,0x0bd185f0d87c32aL,0x0e30b46b975c7a1L,
        0x11f3fc013821f7bL,0x0592476fde881afL,0x1272b81d18a2bd6L,
        0x10ee71ac843a091L,0x19475e3da392ca1L,0x013d686f938e9edL } },
    /* 100 */
    { { 0x03bda79305b5aedL,0x1ea522ccc6b53cfL,0x074c3dfadc00b19L,
        0x1c28fa388990abcL,0x089540edc18a7e9L,0x15fe901f54cb0c6L,
        0x110de94ef8829f9L,0x18d9290fcc9d982L,0x17297920734ef85L,
        0x106a738eaf0f5eaL,0x0ac79935235adbeL,0x1c0acdc401a9fb4L,
        0x1a5a5366a1782a1L,0x0d239b9c151e386L,0x18083a3f8fef4acL,
        0x16ccbafdf180cffL,0x02fec686fdeeacfL,0x02ecdaf13b6e8aaL },
      { 0x037c5a5cb3e472eL,0x1ec939850a02f1bL,0x0b96d1261560854L,
        0x1be73410a201332L,0x15c6c56018f00ccL,0x01aa071311be08dL,
        0x0c611063b50204dL,0x0d7fdef97e0fcfeL,0x0ecd92366bf4857L,
        0x1badf0d5e4a648dL,0x1de379285889d86L,0x0fa78b8d79711c2L,
        0x075ab71858c52e5L,0x1fb71cfcae61c16L,0x09cd7f384b0b0a0L,
        0x0b32c98fc1de5acL,0x166e071deb1835aL,0x0127c48e6e5dc63L } },
    /* 101 */
    { { 0x0ef60bf6778c1e2L,0x0e01e806adf2e12L,0x01b8bc06827ffd2L,
        0x095c12dcb1d8233L,0x1077984c59a728aL,0x0652d2d55de76dbL,
        0x038f7ed1cef4a1cL,0x195192518c29bc6L,0x13fae7f9a4f67abL,
        0x1e15975f610d4e7L,0x1c358a7366d77a0L,0x14b38c1631bf5f4L,
        0x1e4049b54cadeaeL,0x16e98871eaff7bdL,0x18c8733f3baf1d9L,
        0x115eaee91dfc71eL,0x012fe9c32b118eeL,0x0431d61e7ea16fbL },
      { 0x036fca7b85a2fe2L,0x1868477214ee305L,0x08245070e513cf9L,
        0x0cce4e541519374L,0x1968bd06306a810L,0x1e301ef34d0aaafL,
        0x193eae1bdf91c54L,0x0992e0cc295deadL,0x1c0dc36b898780bL,
        0x1b2bff11d0e9931L,0x05ea190d548b250L,0x0feddbfdecf203fL,
        0x146daa17a0d9189L,0x02d667def5df18eL,0x07f0779bc5e4402L,
        0x02859c1b4dc651fL,0x05a1c9d53dbe1e7L,0x01f1f8d8f45c339L } },
    /* 102 */
    { { 0x1ea15c07b7fbf05L,0x188db0f8d1c415bL,0x056b477346f264bL,
        0x155a1efd1793bbbL,0x1ca7ab7931f5b7fL,0x12adf3149b72f5fL,
        0x19550c3d05f7066L,0x17e3ede9c86879bL,0x0971f5e6582f044L,
        0x1e1dc7221446204L,0x0b167ee01fd5d5cL,0x05bb0316b1e0c35L,
        0x0097a3b0d3a64eeL,0x01ca582c37bd053L,0x0cd45f62e17b320L,
        0x07e0d340b28e97fL,0x02589ad5977a79cL,0x04090476c380540L },
      { 0x093509914c4ce37L,0x1dc21d0d5245308L,0x0091603563a3cd2L,
        0x1366eb71750c00eL,0x0d3bde836db42c4L,0x0919db561b2a927L,
        0x051bd548786d192L,0x15d78f98baac9bbL,0x19c14b035bfb5b6L,
        0x1915d0c00a360d1L,0x0beef21c8853d5fL,0x0fef69242ec816cL,
        0x01cb4d6df13acfdL,0x11300548aff886dL,0x16459fd98389881L,
        0x14332f58fb53b03L,0x1c26e8e260cb6e7L,0x0221c1fdc406f59L } },
    /* 103 */
    { { 0x107f01de44f9af6L,0x00d26c658fd0e70L,0x0fb3edf7524cd8eL,
        0x144d51073fccb7cL,0x1ec789d8d0b8435L,0x062f0ff7307c8a9L,
        0x0a073897fa940afL,0x17008ef818afc89L,0x1349e9f83230ba5L,
        0x0a17997ef0c06ecL,0x0e7abd928f44737L,0x109d7d6e1075160L,
        0x04f12742cb80ef8L,0x190501311447306L,0x14eddfd1055b315L,
        0x074b39aa8fbcce4L,0x0459829a6eca601L,0x04577384786aa42L },
      { 0x0f22d9c32c54409L,0x1fd233af5d5620cL,0x04a218a12606a7aL,
        0x1ed6751c1921c5dL,0x1d77641ed0201f6L,0x0b82bae4b980b65L,
        0x13807e49bcbc1c0L,0x0089308091ffd81L,0x0bf696211f319d3L,
        0x05ae422648d4462L,0x03ef3b800c2a09dL,0x0a4bc9edaa42988L,
        0x0c29d67d1ebed67L,0x010e9a9b57bf23eL,0x0ca5017e8c1f6e3L,
        0x100bead6d88d577L,0x1a0f059a7e3033eL,0x04b87b0ff304b52L } },
    /* 104 */
    { { 0x1c53d231bec8e4aL,0x0d60a1ad301a60dL,0x076942791936202L,
        0x1b1491046a9dc10L,0x125864b6496ae1fL,0x06834fd0d74c319L,
        0x09ad2eb284fa5d3L,0x1486e7198b163b1L,0x15fa71f58e76b9dL,
        0x08cdf4463f58b7dL,0x03c4feb5390a772L,0x0ce24933f3dbeb9L,
        0x15a10d8bd74583bL,0x0bc85dbf5e71008L,0x0ade377d9b5d815L,
        0x0abf5262d5dbc90L,0x0a7e0d8fb2d75f8L,0x02025adca2d3ee6L },
      { 0x1ee682a517a15c7L,0x067de77c401017cL,0x04e5441a8d52ab9L,
        0x042e1fd7cf9dc58L,0x13d0c54b5de6019L,0x08495bac4f1cfebL,
        0x1f97c6571c4d632L,0x0f396fdaa7e14f7L,0x12bd9242af61cc9L,
        0x09778b629cafbecL,0x0b0729c2ccbc263L,0x04daa5a30b821a9L,
        0x0a942d6195a5875L,0x128058561499582L,0x0bf48c3f896a5e6L,
        0x04a78bf43e95cacL,0x00260f55af220daL,0x03fd508dac18a30L } },
    /* 105 */
    { { 0x0ba4f0c6e402149L,0x0660ecb1e608cd8L,0x106a9949d1d8d61L,
        0x0b92ae2be4ee81bL,0x1f89fb0e3f77ff7L,0x0df1ffd9791a569L,
        0x1fa09545640cbbeL,0x127f93f643a0846L,0x1eb2eff38a153edL,
        0x0ea9d7008020e89L,0x19516dfc6f60a22L,0x0f9c872a7d4b9e5L,
        0x14d85e75c8dd4a2L,0x120df0e1806972eL,0x1080cb7ae4fb588L,
        0x1ce023ca7e4be04L,0x0bfb9957636c3a4L,0x00a5b1d2976cc7fL },
      { 0x010b55371c43336L,0x1ea5311d24125bbL,0x0b800a18146c677L,
        0x191ebe3db6f72f4L,0x1b67daad86abbb9L,0x0ffd7db3d2bebbcL,
        0x0f18e2b3941b735L,0x0a10bb53f2b1358L,0x0081cbaa875a3d1L,
        0x19a9ec7f49a3769L,0x0d87c687e680b40L,0x126e74cb38e3655L,
        0x0b4f5df8a1b0cb0L,0x15bead0edbf0718L,0x03973c1df131d07L,
        0x0e3591e08d938e5L,0x05532dd0bc7f7c1L,0x001242c39c1b693L } },
    /* 106 */
    { { 0x140dd2375a4cd8dL,0x05219cbde5d3c66L,0x1610963587d44cbL,
        0x13b43d1cd0618b9L,0x1d65d40a0a7ec05L,0x1a86bb03d478b88L,
        0x0b90a1a79957bd0L,0x1a17319cde0b307L,0x17b61391d9d8bebL,
        0x1294f12d8dd2ea4L,0x1ccba47dacb3d8eL,0x18d47f476c528deL,
        0x0cc3ef0ed2bd66eL,0x0f845a3b1cbca87L,0x16838bbba40232dL,
        0x1790ffad7c84b2cL,0x1ae78ed513c1177L,0x033cc676fff2896L },
      { 0x1e3f8fd1b97c5c6L,0x1d59f3c61d99fa4L,0x104903d656e8e7eL,
        0x12bafa86ec884e8L,0x19c44777174225bL,0x0b5922c4059fe63L,
        0x1861370eb2a0ccaL,0x0e4ab227bee2e69L,0x1a4db23d39c9344L,
        0x15d9b99e8a10508L,0x0833e7cd822f733L,0x19ec619fc27f73aL,
        0x115f30874ca618aL,0x0f8002d2baf8359L,0x0ff276d41bbf9feL,
        0x0f883155d4f1803L,0x195f9179255f78eL,0x01f53d7692974b1L } },
    /* 107 */
    { { 0x0617e045b06ae25L,0x00a46e5aba877ccL,0x1c398130ae8af2bL,
        0x16ed6f12eb23d45L,0x051da18100c19f6L,0x02b82dbcdcdb683L,
        0x16fc7cc896faf25L,0x0da61686be6b800L,0x1440b4482bc24d8L,
        0x1c784cb6b1b9bbbL,0x15b1587112d370aL,0x1dcc6120d332cbfL,
        0x0408aa1ec1e9405L,0x1e97944a8cff849L,0x1d19e5fbbcc91a8L,
        0x0befc02d86ecb78L,0x04462d2569fd070L,0x0354569ce029280L },
      { 0x05f020d46be7282L,0x0d7f6909c078972L,0x16f75769ab42501L,
        0x08ff17cc3c99b94L,0x196b8178c2d6f18L,0x06fcaa100994a9aL,
        0x0ad3634ec79edeaL,0x0aceaf8c37672aeL,0x0d749b57b80cc3bL,
        0x0c87fc99bd9fff6L,0x0ed94c517725365L,0x0c0c466bcae6737L,
        0x17f763feba70c1cL,0x0630db994e17396L,0x1cfcb291da39093L,
        0x0b19aeefa5f4d54L,0x1aadee4dbaac5cbL,0x00d0c08bcce7d70L } },
    /* 108 */
    { { 0x16ff62f77575ed0L,0x0a7d4be8ed4cdb7L,0x1beda7bf5fd863cL,
        0x17bb850c665ce55L,0x186c5834c45ab4cL,0x1baeec587106a42L,
        0x112634e5c0468e5L,0x1b002619011e826L,0x12d408ebaf5115eL,
        0x083502e01306f6cL,0x0dcd88672ae4471L,0x118dd0d2750d3cbL,
        0x1fcc7736174cf50L,0x0aec4e51a738922L,0x1eef260bdc6a87eL,
        0x0ffa49774f8d4c0L,0x1a8f3a515e7212bL,0x03e96ee3ac9187aL },
      { 0x105816d4ed2cae8L,0x15e3edce001bb9eL,0x039991ac235133dL,
        0x0297380301847d3L,0x0f9179c1f9ee6c6L,0x0cb445708e4d09fL,
        0x1c29e96d851fa3bL,0x0eaf5fd6c91a0ccL,0x0d670333c176852L,
        0x04eecb4bafcf479L,0x1c8a34de9a2b7aaL,0x1abc8a99630d76aL,
        0x0f063dd55021a05L,0x065b6579a4080acL,0x152af9e4b753c21L,
        0x13aece189b0a4f0L,0x0ba845969dc6e72L,0x02d297c3d58dfa0L } },
    /* 109 */
    { { 0x1019e9109ecacbdL,0x0011ebdc4def576L,0x1c2d5c1cdc79951L,
        0x082d91c42ef98a3L,0x01259ab514832b0L,0x11b0ea58d533414L,
        0x170a9b8403e488fL,0x04dcb27ddd3c752L,0x1699b6bbd16c10eL,
        0x0a43c39ca39d09fL,0x053716c9d261f2bL,0x00ea4ab3c5d3e38L,
        0x1dc3d47ad257dc0L,0x0ea93bc9c224c24L,0x1f56e660f7c9e2bL,
        0x00540ee1c7d91ddL,0x1fe2ae5844676bdL,0x00bf813b21f382fL },
      { 0x1a4010d29abea1fL,0x1cb4a9203d6266eL,0x04a410cc862d8daL,
        0x162c7aa6952d4c0L,0x0cc20565f221fc3L,0x142abb82dd0adf6L,
        0x0134c48e3953658L,0x1c8362884af0f10L,0x196fbf304a89a9fL,
        0x053f83625f32158L,0x0883a1b8ac217b2L,0x0f85fe94b23bba3L,
        0x13a4a343b88f7f2L,0x1d8b9ea6e0bd83aL,0x101eef9a12c7a22L,
        0x03aee7599d4887bL,0x17edb15c88d4c44L,0x00778184d29f2caL } },
    /* 110 */
    { { 0x1c25721fa8e5b60L,0x09c56b48e05d927L,0x0dd82c28892191aL,
        0x04fbc2d0efc8da9L,0x0721c630863f9acL,0x13fd81281ddb779L,
        0x0f4e7e306677c2dL,0x1b4f183dae5c0f5L,0x1cf9deb7bb32f0dL,
        0x1fb9378361e44f9L,0x022cb465c8896abL,0x022e9e28beb96e0L,
        0x0c457c4f378f5a6L,0x0e229e32270737cL,0x1a4b2022ef6a910L,
        0x06ac2af7c64db4dL,0x12aa9bc3fd95d77L,0x01e9db6635d9bdbL },
      { 0x06f12cc9722c880L,0x1b5739435b444b7L,0x026eb4bebfb0e86L,
        0x14877717df74398L,0x17c3f4c3ad64ad7L,0x09d48dd2d7b5004L,
        0x0fdacabf2c3670dL,0x1219427f956d399L,0x1699a1391f2abc1L,
        0x0deaaa111d123f2L,0x18603e55223668bL,0x17fe24899879c40L,
        0x1e87d3a365ba9e7L,0x1d2652f11494bd5L,0x0f86db10153e8e3L,
        0x034896720c47acfL,0x0e71fa67c5778f4L,0x0174a3721e3daa2L } },
    /* 111 */
    { { 0x180fddfc60934aeL,0x13f7f8b21036894L,0x1e5905bb5d68b0fL,
        0x06b9a165b9eebcfL,0x1faad87bfac60cfL,0x04f2eeeee25f670L,
        0x1c6b9d4fea1f261L,0x0978baa2d465837L,0x1565dbea814732bL,
        0x03f5f1d672434b5L,0x09d35b36e5da500L,0x04e0cbc9cf7c819L,
        0x013aac4ebc3f5cdL,0x01eb61d0ba423e0L,0x1e81da99d8b80d1L,
        0x0cefad21b192a8cL,0x0c2768d78d61edaL,0x004cbe72a80c0ecL },
      { 0x097746c965a0b81L,0x0c5f372f096fd49L,0x0f11c57d0dfd22dL,
        0x0f6acb88b2aae76L,0x1582797ce425e90L,0x12a3a7a7a1fa890L,
        0x012b3976be9be3aL,0x10655d71f7c27bcL,0x0ed7f95f0e8a07cL,
        0x1009537331604ffL,0x1ba6e31d0b3c5cfL,0x0b35c514388b7f2L,
        0x145cf4e2f38ea57L,0x1c80d00ca3aca0dL,0x045acb9f74f00b7L,
        0x17311cf49bdd4e1L,0x1e650b272b52fa9L,0x04b7cf84fe848bfL } },
    /* 112 */
    { { 0x0e8aac42c310a96L,0x0c181fbd1539a3cL,0x00f48e58881ccaaL,
        0x1db2a8250188d95L,0x0cabe911ad131e6L,0x0db6342bc8fe2f1L,
        0x021e1432ddfae10L,0x19d5ff27bd47a79L,0x106541f1df1007bL,
        0x17394e12ae6f8feL,0x1c4c5cc8f8e5c93L,0x14835a9a1183c1eL,
        0x1fa35e22bfa2de7L,0x04d81992d4c8955L,0x145353a814048aeL,
        0x1c157173ca3e80cL,0x0a5423c7aad79d3L,0x038ccc713205c7fL },
      { 0x0140fcdceb6ed78L,0x079bb8c29a28b20L,0x196ba358373194fL,
        0x0d3b58abf008a16L,0x0e05686cce6c1a7L,0x1892b1454b5496dL,
        0x05094bf911d8849L,0x184e8f796a149e7L,0x0f0ec6ff2fc531fL,
        0x0be1a23887f4ff8L,0x021e0e71e4b3ff2L,0x049004df6033f69L,
        0x1cd804c290552c5L,0x1ae46539a000d14L,0x1977e81d0ad6b60L,
        0x0956386f03e2eddL,0x0acca6b85f03dfaL,0x041c4ca0d058699L } },
    /* 113 */
    { { 0x0f062a2de067dffL,0x193485e5c00b160L,0x04341c1e8af753cL,
        0x11f5c94723319b3L,0x132ad8145afc63bL,0x0cefd8b4278dbddL,
        0x16122c28b738bc6L,0x0c444c1c2fe91e4L,0x17393db00c2d5e8L,
        0x1447c2a19c678b8L,0x1e50a40ab3d48a7L,0x1970d06b5e7a00cL,
        0x12b8a2614c19157L,0x09a7623617d537cL,0x1ea04d413fe57d4L,
        0x08e099e00c4ddf6L,0x025454b3d05b37aL,0x00fdfed18934a76L },
      { 0x1ebb657c8f69c77L,0x013c5d1efc47d7eL,0x15c707ede2d24aaL,
        0x14238e34668c76aL,0x089958b0d2066a1L,0x0eb3d3086440a18L,
        0x1ee3ee5d71f833eL,0x0c3b54ba410e606L,0x15ee5005d40bf58L,
        0x0073673bedd34d4L,0x10f2cf258b31d0cL,0x0c5299f080ab127L,
        0x1a225c9d700ac98L,0x1c8f23f4053f7b1L,0x0be12fbf86121a6L,
        0x0f17e373afbd718L,0x19e67788915c0e2L,0x027ca4465621378L } },
    /* 114 */
    { { 0x10dfcd4dd51b8ceL,0x1c93c1b11874030L,0x1c70d9665588215L,
        0x17c595d0efdb8ffL,0x07967608905ead4L,0x1c493650e192ecfL,
        0x02938f8e7b776f4L,0x149b52590d0bedeL,0x1e16f800af47a0fL,
        0x05a6dadf2fb0555L,0x1504be60e14f4d4L,0x04a136f2f1386ccL,
        0x184e0e72b264b62L,0x12aae15df52b002L,0x0a4b846aef52407L,
        0x0431e6f08334e2eL,0x1926e0b5aaae174L,0x03447034247bcb5L },
      { 0x1fef641313b8f64L,0x08dbdca163a3166L,0x0ddd70362af6bbcL,
        0x015e8083520cf9fL,0x0935210f608ea5fL,0x08bd0411eadec13L,
        0x0b4856ae413f09eL,0x13f0bb763fc8ba4L,0x0c3d5e5094d3615L,
        0x15da9470e9cdc79L,0x12a0a3d12b3bc2bL,0x15be418af4a9babL,
        0x1378f95f4424209L,0x1499be9baba15a1L,0x133f6df447e9f66L,
        0x02fd9acd418138cL,0x06556e55b8f9bb8L,0x00b91e3f1f26209L } },
    /* 115 */
    { { 0x06486d8dc8b43f3L,0x1073093204f344dL,0x10df66d1800ff0fL,
        0x0ac509d8f631138L,0x0a9dbaea3a85033L,0x1c499e2d1b32e23L,
        0x05241efda5077a5L,0x05a3dab4a20d268L,0x1664a7b7a8cb800L,
        0x01fbb723076852cL,0x01ae8c7d3afc9d8L,0x1a83e58714ff87cL,
        0x19cf1db08a296ceL,0x06f3d1db1560c7bL,0x1da2c1b2467a20bL,
        0x0f96a2bcefa53b7L,0x13a21978baa4e94L,0x0425faa15bb184cL },
      { 0x1decda9e364f21eL,0x079a280972abf60L,0x0121623e438435bL,
        0x17c76209717448dL,0x03aef57a9f6dda4L,0x193f54b5fbd1a37L,
        0x19b1c840a67fba0L,0x08b5533e90fb52bL,0x024ff813ed2cdf6L,
        0x0edd96945ea0a5cL,0x0406bf2be869874L,0x173539bd7b480caL,
        0x15e41039e47d9f4L,0x02856fa157a0d9cL,0x07a79278fa79aebL,
        0x0fe469e42675c68L,0x1534968c0f3cb15L,0x01c1fc13ded0340L } },
    /* 116 */
    { { 0x0c46a216583ff4cL,0x02d14a56b84f397L,0x073f013284a9399L,
        0x0922c14fcbb8cddL,0x169c762e82f128fL,0x16dc73dfd913d8aL,
        0x1da23e031e58f0bL,0x1994fb5fc0c9341L,0x0b7e417542d14b8L,
        0x1062e29c36f205fL,0x014a1876de4cc4eL,0x1cd3f7fc0e37e1aL,
        0x16210e9903b902cL,0x1b81f5dc30f234aL,0x17de2dbebbe1d3bL,
        0x1d475ecd128fdbaL,0x0256fe865475af5L,0x01d890f8aa1fca3L },
      { 0x126e847659275e9L,0x00e7eb687e7282dL,0x0ff62a8fc7bd1d6L,
        0x0bc909cc1cabeb9L,0x1e9698e41e7be31L,0x1823c26c78d107fL,
        0x16cf89751b6a5eaL,0x0134a4db6eb0699L,0x01fd408d98d08a0L,
        0x00025902dae540bL,0x18eecd9792efa3fL,0x024aeb376ddeb67L,
        0x17c2fac737f50ccL,0x0939ca8d782fd40L,0x12ccd9e7b840b4bL,
        0x0a2be551ca817fdL,0x083673446fb2a6aL,0x02a82f0e89b9486L } },
    /* 117 */
    { { 0x03014a1d15e68a6L,0x18593326e9af286L,0x10b40eb59fe5be7L,
        0x1da58289083186eL,0x0d41a3cb74818c0L,0x0f9f4f628c08b48L,
        0x04e19972320ff12L,0x139364c18c2584fL,0x0f6086faeced04eL,
        0x1d96675febe23acL,0x10c4ce40a5ff629L,0x09d012e03590967L,
        0x07508b3762ca826L,0x0c1d46ff4fcbb54L,0x15663a575609c52L,
        0x1a6906a1a4cd3b3L,0x17c85cb89cb0f6fL,0x030bec06a52ba18L },
      { 0x0ef267e70022b67L,0x1b5da9bb45ca526L,0x159b49e1118a014L,
        0x087048723262a74L,0x1df78c4a49054d4L,0x10f1ad4688f0b92L,
        0x18c766c94a9c756L,0x01c0f0cd90102e3L,0x00a8501db1b38a0L,
        0x16c995c673b811bL,0x1dd8263b6bdf40bL,0x1b5772600dd345aL,
        0x04bbfeb0363aee5L,0x0710d9c5fd7fe46L,0x0a381a41dee59e1L,
        0x108e2923f8b3fb9L,0x00b3f624f550e93L,0x028ab7a843e68bcL } },
    /* 118 */
    { { 0x0234e220206e8d0L,0x17aea3f8ad7992cL,0x0a2758e2543fd7dL,
        0x12fa892be95f56eL,0x08da80a966ec4d0L,0x1c51b5d6c4862ebL,
        0x1717f92a8248193L,0x062f33c4afc1e9aL,0x044c677ae24495eL,
        0x101c3d9d2dc71a9L,0x1e43d1d68a1ee5cL,0x198b8783e5eee06L,
        0x1b41a7fa4154895L,0x18058045dc3407cL,0x191cf2ff351d162L,
        0x1c3342939907174L,0x1ba78ed5f7aac9bL,0x0292a2cce599bb2L },
      { 0x0739679a21b54c4L,0x167155b24bece84L,0x0a4b212219000a7L,
        0x1fd3f4f3b3e29e3L,0x06c208dbae48dcfL,0x11fb4f0a5c88e12L,
        0x0e0e16ac3efcb6bL,0x176301590fda3dbL,0x0146fd718188586L,
        0x0875b2a2a33e5e8L,0x0e5020599f3fb88L,0x18356e7a34c1544L,
        0x00881c1cbedb125L,0x1be181196f34298L,0x0f23463f8d31c4cL,
        0x09d078d8c0e1cdeL,0x14507e365bab4afL,0x0117853f6ee7c15L } },
    /* 119 */
    { { 0x062791fea7f1b7fL,0x0c62eee7f84ea71L,0x070ce71f716270fL,
        0x0e84edd1810d855L,0x09fe1d564dad401L,0x1408648548c7acfL,
        0x13712e35e59c0aaL,0x05dd6f5106c954bL,0x0fc4c23bbe7afa7L,
        0x0ddae4f25643484L,0x0e404da831f9bd3L,0x0002938431a46fcL,
        0x0794b324a2855d7L,0x1143d038f23ade3L,0x0d0c8f3262a3719L,
        0x113d272b45336bfL,0x046e186c3ee0c03L,0x03cfc0f378b39a6L },
      { 0x1f2c1f3364f3c4eL,0x1956289b3f0a5c1L,0x13f164cf90f54daL,
        0x0a21b2c3fc894dbL,0x1e3f2aae34e5947L,0x153f928411a7673L,
        0x084932e4b802af7L,0x0743df749e14f23L,0x0c2086fd21192d5L,
        0x160687e5a8e457bL,0x06cb2b703c6d7ffL,0x111f025b7c3291aL,
        0x0adedbdd45b07a3L,0x0b812c4d20439d3L,0x189ed92f0a849a3L,
        0x0dd0b77edc7502fL,0x00073ee56636d38L,0x02217669bcef3e0L } },
    /* 120 */
    { { 0x0cd1ae68a2f90a6L,0x1ea0eb7ad68665aL,0x031100752e3bc9dL,
        0x09b06ecc62d4705L,0x15e1124be817a13L,0x15caf20a15bac6fL,
        0x078f897ef1a77f5L,0x19d46193ebfae95L,0x15ac0f163d89663L,
        0x154f77b86731c36L,0x043a9763b55510cL,0x1fe1311284f4f4dL,
        0x05eaaced585de23L,0x09f0c232bad69b5L,0x024e440d4529b07L,
        0x0add07b22c586feL,0x11e5c10add9e33dL,0x0428bb5b9835534L },
      { 0x12110fa28a21e38L,0x11bceabb9ea9c51L,0x0efcb40837125edL,
        0x072c30679ba6d2fL,0x05fa85165917759L,0x155ae936b822fd7L,
        0x16dc0ce43ca69e1L,0x18d5817b461b89eL,0x1cca0240adcc615L,
        0x10f8b81628a36c8L,0x11cb429cb3be1e3L,0x0e1016cd37439d6L,
        0x1d7e61aa0a84840L,0x0334ab05bcd847cL,0x03adc78e20582f9L,
        0x0b2184726b85b29L,0x0b3d7fd83c09431L,0x04558aa5db72bb4L } },
    /* 121 */
    { { 0x0686003353c4a96L,0x03074482e6c1a94L,0x0d923d9be331397L,
        0x113f599f3d7ab22L,0x032639e5b6b80b9L,0x0556f5de0e0fd77L,
        0x080b4bd8e5b489eL,0x06a014f2da03130L,0x018ab548f3a4748L,
        0x0682b61d98d871fL,0x09a374059144b6bL,0x0db29607e7782b7L,
        0x0bd8f206c520383L,0x0f8bbcdb6b27653L,0x0acd2a24c68d87aL,
        0x05c45b04d21f8a5L,0x0a9342bb8e09292L,0x00dfe6ec2700581L },
      { 0x10b9a4375a365d9L,0x0f0af046c7d8198L,0x0f5f5d0b7e0f52bL,
        0x09bc630e85392eaL,0x1360ace0cf7309dL,0x134b21891471091L,
        0x1694c410f48e3ddL,0x12ff855b7dbf21eL,0x041d64cb77b5f93L,
        0x100598562236808L,0x0190b48c5c83f94L,0x045b735440eb879L,
        0x12041eae47fcc01L,0x14643b5242b71d8L,0x0d81ac516191155L,
        0x0af7e3438f08446L,0x0f19b766d1f2277L,0x012dbc51dfbdceaL } },
    /* 122 */
    { { 0x0835718156707ceL,0x011cc218a7c8548L,0x016a2f95f6f66f7L,
        0x0b5ac7497002f91L,0x15aacffdd4bba22L,0x0aa3912e738dc30L,
        0x14f757c9991d5caL,0x1ae1501e3ee9e15L,0x0010538a3fc352eL,
        0x0532022a101e365L,0x11ea20cc31ced3eL,0x1dcc05b95836565L,
        0x0fed2b17c7b3433L,0x1eb194e397024ceL,0x1eb70de7e1a0692L,
        0x112b6712f328c6dL,0x0f0dc5650c892b7L,0x03855cab832d28eL },
      { 0x0778ec47b585d93L,0x09b085319ff2723L,0x15393a80c46b29bL,
        0x177ac8005e43b42L,0x191cb7a9af22190L,0x141bebcf319d63eL,
        0x1ba2bb44f0c7fb9L,0x02db4940fae2c2dL,0x0d78a27323afcd6L,
        0x0334b72dd0a6b4aL,0x1d535d37d610830L,0x009c4ef1c792e66L,
        0x0c55b5a5c2e85e5L,0x051d65ae182ad50L,0x0223b68c4f7d4e2L,
        0x0bbbcb12d596a54L,0x0befc8842a084c8L,0x02ff64fbca8eef3L } },
    /* 123 */
    { { 0x0bc2c7cfe519f99L,0x15ec072a081a9afL,0x100a28e623cf8e5L,
        0x0bac037b435bdb2L,0x14ce64ac1c03b73L,0x1201487e98101b0L,
        0x025f560dfafa404L,0x073955d43474aa8L,0x1dce73d25b0b881L,
        0x0f6a095f658485cL,0x0a7fdf58f6acf0dL,0x0fb20c5b60e3320L,
        0x1642a4c11d55543L,0x127e488493be97aL,0x06495351dfe9914L,
        0x0c318f625d36e4fL,0x1957ad2ae22d84cL,0x00546ab31e74768L },
      { 0x1ac51630a21fde1L,0x1aeeb3481ec24a1L,0x07b97f758a073f3L,
        0x00ef493468da493L,0x0875c06f4dedc6fL,0x1dc023235ed1601L,
        0x00dbf438383d8d1L,0x08420b02d36bccfL,0x0c961912ade8a80L,
        0x19ff505549d9e99L,0x0e3b6c315daf177L,0x1addb1a6fc8f3e2L,
        0x19cce5e7cb7971aL,0x0e9015a0755c2b9L,0x087f49a2292d0d0L,
        0x0df22bb084aafc7L,0x09f872fabd5b3a8L,0x04adc9a49b55231L } },
    /* 124 */
    { { 0x198a70199f951deL,0x0f2cb782c6da2ccL,0x107bcf40f74e3ebL,
        0x1a676283a69a8f3L,0x0cfe8a406e928d5L,0x077d1ecd232c005L,
        0x1c9bb4422b4bf07L,0x13ec972d243c026L,0x0b9b6a6b68e83bbL,
        0x0f8f36e092172a2L,0x03d9d8bd9659acaL,0x012cbc20b683a7fL,
        0x1a16011e1ca34ddL,0x128aaa0dea7489cL,0x08859b7ba9371a0L,
        0x0c248df00615990L,0x07dbdc7ae1d31d1L,0x01712f7a8b10d7dL },
      { 0x133cf8fdd8e7357L,0x1d10c75676edc12L,0x0c741e134ab0cceL,
        0x0de50095c4d1c7cL,0x17e7ad7e1c927f3L,0x1fbc5000a19e913L,
        0x09eb82d0073c161L,0x16b3bf9e06d5400L,0x0c9e46c8b1d9a46L,
        0x136f2430f944699L,0x1b68bc6e2810f6aL,0x01cbe5a176adbaaL,
        0x0419defb5634623L,0x10e9643a0cf85b7L,0x03916cd57b0df34L,
        0x1d0a47b7e072f6eL,0x1d6f0862a8dac7cL,0x043cbcf53f0a0f9L } },
    /* 125 */
    { { 0x17e7b3f7f1c747fL,0x1260ee37319b4cdL,0x1dc2cdcb6e80546L,
        0x09a7dca9fc84e7fL,0x133cae0fca6d223L,0x0b7886097e47066L,
        0x073e49cca14e177L,0x12390de7f7be035L,0x05322677fe36caeL,
        0x0d3801997f7f522L,0x128ca33a2bc85ceL,0x0eeded4e63e8593L,
        0x1f66a96813c0256L,0x06d976d46343d9eL,0x113faf4652aac4aL,
        0x08365bc61b8b5ddL,0x016c052236a9792L,0x01f64c401611ea6L },
      { 0x19e760c4072f74dL,0x1586f55aca02c87L,0x090326c0270b9e3L,
        0x00716b35cbb67bdL,0x0b4daa0647e875fL,0x079bc47a075a1b1L,
        0x0be2e69a93e4824L,0x0addfd7d35fdb7fL,0x1f87f96a59867e2L,
        0x137f691bad5b575L,0x09e0a8ff6c4f2c7L,0x0e3ce1f44c422feL,
        0x0cfd4c0dbe5102cL,0x181a394bae95837L,0x19f9e014df309a0L,
        0x1b4651b7ebc5656L,0x1142f633f3aba25L,0x01f498af477d764L } },
    /* 126 */
    { { 0x055cfa5239a9ea9L,0x1e34805f19d3149L,0x0d2e72d90af483cL,
        0x0c0175ce30eb3ddL,0x13410f843316c54L,0x1894db43a53b6afL,
        0x07c7048ed40ba43L,0x1195b91f350250aL,0x1f57b764a1b6240L,
        0x0b7600f8d403bbdL,0x1b3bc87c3771704L,0x08f9cb4d4b4ee8dL,
        0x0706e955ba3c49dL,0x1a2ebcd80f0aedfL,0x034421d8a7031e6L,
        0x045ae224f0610efL,0x19122585dc78c6aL,0x017681506853413L },
      { 0x10434164daa2682L,0x16995809acb12a9L,0x0d2af619c25c389L,
        0x17dcef5c5c89390L,0x1af6c16911a19d2L,0x0b082a1cdea94d1L,
        0x03f84db32970173L,0x06ac6e14b37b8d8L,0x0ca420d27b93d51L,
        0x03986a2aaa6228dL,0x0963265b37afcb6L,0x13214a1f340bd7aL,
        0x1a7b0f01510cb1bL,0x08e90bf0b4d464bL,0x0bdd7a0b30db4d0L,
        0x054c3e22ed114eaL,0x1dd1db01394a09bL,0x00a313c2254f7ebL } },
    /* 127 */
    { { 0x1ca3aed232803cfL,0x01cc5cd4b7f9a35L,0x15fdd2ade22f079L,
        0x00fcd1809b95eceL,0x1cb7cd20c3a53e0L,0x0345e52fcb4e0caL,
        0x0c0cbca2d969b70L,0x029c79403a63b0cL,0x09b733b8187808eL,
        0x0eb826cf7f30c5fL,0x1cd50ac06e51b6dL,0x033df7dbbb7e4edL,
        0x0b903275cee057eL,0x0407bde33e8c179L,0x11db050f3717ddeL,
        0x0a0e5ade07a7ef0L,0x028035f5557a9baL,0x03d65abdb5a014bL },
      { 0x041356944e6b07cL,0x02664f0e39a2ee9L,0x136389cee7ed147L,
        0x13711c69f880e88L,0x1152776dfe49607L,0x0114ce3be8c267fL,
        0x0a25db440cee71dL,0x04053414d08ef7eL,0x059ffdf10ee8f04L,
        0x10b8a36225dab6bL,0x141b0bee6ba1553L,0x05b7b27cf9ab063L,
        0x063c96b607b2cb8L,0x1aa4f154419c0e2L,0x12887501abb4945L,
        0x1f7bbdf2f1238eeL,0x16cae9807c78675L,0x0352d02dcb1b1a8L } },
    /* 128 */
    { { 0x0e71ea66a8f4f33L,0x037e326f547a549L,0x14b3fba21187cbfL,
        0x1c112a9a11a6ac4L,0x068ab76659b0a83L,0x07c6822deb4611aL,
        0x19eb900a04d5e40L,0x08230383380a570L,0x0986a516918764cL,
        0x180efd709abae92L,0x1a6b9564d9dedf2L,0x004a8db936322e4L,
        0x19c40097c8f6d17L,0x12ce203dc6f3424L,0x14a762ddb7c00c8L,
        0x16bec812355b22fL,0x08ca7f46d214a7aL,0x034402a5a387672L },
      { 0x0d168aa51a5b86cL,0x1f26c4abbb923f8L,0x01dbc5c80ca490dL,
        0x1b2c8f4a9d5d088L,0x0405622c0a7ac87L,0x13cf978f2cbd258L,
        0x055b7b7bf971bc2L,0x1ed5e7de1849aaaL,0x1917fb04eef047cL,
        0x1c93ccfaa5b109bL,0x1a8cbcc52f82e0dL,0x0cb6188cd6190ebL,
        0x0e7e218978e157cL,0x06f2c3d7e946486L,0x01defb6e43f0eebL,
        0x0219bba65ae3917L,0x0533b432200ca8eL,0x00010fa0ceca7b7L } },
    /* 129 */
    { { 0x191122c43519d26L,0x1d60ea0528c2290L,0x07a5522ee27ef6bL,
        0x182d0897f398deeL,0x178e8d559ef3375L,0x05f0e2f3bc4fbc8L,
        0x1790013d666d87eL,0x193011193345977L,0x18939a260893206L,
        0x0d725fffe698428L,0x12cffb823fabfa8L,0x0133fe295578cc9L,
        0x0c2a841ef961f38L,0x0bf80edb06c1ca6L,0x1aeddcdd7eb62b4L,
        0x04a24df868aecdbL,0x19f1e716b05a425L,0x03cc2ac4014f0f6L },
      { 0x0cb3aaa95106473L,0x17d20ad30ed0251L,0x0d894e558f0257eL,
        0x032a62570ffa792L,0x1f885c76baa4809L,0x063c6ab63f3ac15L,
        0x11035c3db6ad88cL,0x10d19c60a38ee8eL,0x06dbebd14ffdb61L,
        0x07020fd0c87204bL,0x031199bb98b8aacL,0x1c54e9e667ad742L,
        0x04fe7b9b6693d57L,0x036941be803556eL,0x01d07abebdcbdb0L,
        0x048ee63198bcd22L,0x08d9c5026096569L,0x04aec11e18e87d8L } },
    /* 130 */
    { { 0x0eebd86140528a5L,0x0615d29cbcde435L,0x0e293b0512afc9aL,
        0x1b054fafdb63793L,0x0e0118d81efabb0L,0x00aac778963868aL,
        0x19cf8c581c5a287L,0x1ba67c8516fc96fL,0x06317663783aec9L,
        0x0b97fdf709561aeL,0x1c2feef05eca914L,0x10e0e83f02546fbL,
        0x1be2888f9c4212fL,0x1ab652ae9ee765eL,0x00a3906a77056a9L,
        0x1b607e63231d972L,0x1547ede02856aeaL,0x00713846abc32a7L },
      { 0x070cc53cde20f88L,0x013962fad881c91L,0x0679772c76fe4ceL,
        0x136e5ae982a085cL,0x0aaaaa554b3de21L,0x1435d30b624d459L,
        0x05a5402110f96eeL,0x023dcd79ae4419eL,0x159ffac6ba89abdL,
        0x01890bdf88ab1ceL,0x0a2bcbcd32e948aL,0x07ce0e4f520dc9aL,
        0x1f69017766f27f0L,0x1d40891f342163cL,0x0a5cee32cd1a6f5L,
        0x01b7a9181e68d48L,0x078fc5784a62399L,0x0069ed59dfd94cbL } },
    /* 131 */
    { { 0x18376e6ce29c3ccL,0x083f6780b65e347L,0x065978e533872c1L,
        0x1ee78a1a83bd7ffL,0x0d16ce3d24fc526L,0x0098a0a76ead2a1L,
        0x0181aecdef76647L,0x151c6885de5c675L,0x12ae90337c0629dL,
        0x1fd76322c955998L,0x0e265f60ae15ed5L,0x1973466e62ec352L,
        0x029086751fad6c8L,0x0c60b8cb412caefL,0x1a5cd5ea07a5fecL,
        0x13ed3c9e914277eL,0x026a1387c2e5cb8L,0x02985a775ac3a5aL },
      { 0x1f275a1bab7b5aeL,0x0ee2681d2bdfa74L,0x112a9171416eedaL,
        0x0682d5880592e9bL,0x0ed985dc726369fL,0x0a2350b9af273c5L,
        0x0c0a8152361e737L,0x14d099d60d33c2dL,0x0f73f6fa4789b11L,
        0x150620fd95273c2L,0x1da40a4ea6da5daL,0x1c01e075156563eL,
        0x1b844d66c1814ccL,0x184a9100b26592aL,0x08c89c6de539f58L,
        0x149b3c0a5a9c87bL,0x17f5278b2e708b6L,0x0484a12a940632bL } },
    /* 132 */
    { { 0x069a14d0d5b4c2fL,0x1e2cdae45324e69L,0x0ceac38df528ae3L,
        0x11222206fd2b7d9L,0x14e35322fda1a76L,0x1c7d7e2c08702d4L,
        0x1398a8937304a85L,0x088b858c7651c7bL,0x1995c3f179452c4L,
        0x0998761a16a28b0L,0x16982ad3be04a4dL,0x04a5175d3827404L,
        0x06e2e3caf885493L,0x1b24dfa392e8d30L,0x13b17c7510246acL,
        0x066678fa15f7ee0L,0x0f527bd1d62bd8bL,0x0282b8088e7f30bL },
      { 0x0084acef534356bL,0x0ef02a5a587de68L,0x18173b81370677cL,
        0x106c36f1c20435fL,0x0f78d38b64bde68L,0x052f2751927e63fL,
        0x0665bfacdcb3bacL,0x09dde09f966cb02L,0x07dce5d505eb0abL,
        0x114dac411c62c37L,0x18c65ef36000dc7L,0x08a2900d739fbcbL,
        0x0bd18e67ab8bf5eL,0x1cfb1fd6a1984b4L,0x1062ed09a9f413bL,
        0x1c459438fe2476bL,0x19f485b848225dcL,0x047f859b7eaa073L } },
    /* 133 */
    { { 0x1f2e2f43ff42cffL,0x0cfce8e1a98be4cL,0x0e4aae86d5168f0L,
        0x0a95f53465b6e92L,0x17dcd43684232b0L,0x07cc8a85c2aea36L,
        0x088622b0d788117L,0x00baf9e458fe003L,0x1057d35aeed4083L,
        0x0d2528caa9e67e6L,0x195e4e4f8ae4e49L,0x05606845d84ebcaL,
        0x1e3ac53958a2033L,0x1cf4d8b1cd84802L,0x19863598a01468dL,
        0x1cf5f6941b813f8L,0x03e9e0e857f6748L,0x038d9477762bbebL },
      { 0x142b0cd99726bf8L,0x051dc8e10479e24L,0x039ec1663aa84a4L,
        0x1f44b52251fae52L,0x0037d7dac6a7791L,0x1141bd9699ed926L,
        0x18a83087bfac1c3L,0x04f7ee1b2ddc7b5L,0x143ed8191850760L,
        0x175855426a56bf1L,0x14407fa316dd312L,0x14dd5a4dd7bb78eL,
        0x086b78aa4edbfb2L,0x108acc245d40903L,0x0e9713b252aa3cbL,
        0x052b41a21b3b67dL,0x05ace7fec476318L,0x0394a388d1986c9L } },
    /* 134 */
    { { 0x0e4590432bbd495L,0x1a6e8df2a4b9ffeL,0x18757670fd38cc3L,
        0x10b374e40800d7dL,0x02c2c76840ee607L,0x1f445f60ca7e9faL,
        0x00842839dac4ba7L,0x18e2f9bbbb7d856L,0x0689d436b00811eL,
        0x1535d1b9425f4f2L,0x0e56c801f504529L,0x13e61e23ce89578L,
        0x08e9396402f8cdfL,0x175a3142e2ff5f6L,0x18344de29d45d0fL,
        0x125c7337f0f058dL,0x15f3965e170beb2L,0x0000e1cec2c00feL },
      { 0x0805cb9da4a0912L,0x05bb522085e527aL,0x0e3bb1c7596f49fL,
        0x16902d0935de7b9L,0x08b24635780fbb2L,0x02273477b538135L,
        0x1d2a0558972204bL,0x1c8c49846589af4L,0x081a770374b1631L,
        0x0727bf8edc8be17L,0x1197f47d87b6541L,0x009397bcdc7a3a0L,
        0x01d7131fcfb1048L,0x056d238ab1be706L,0x1a65c988b936f0aL,
        0x0e8a1eea618b959L,0x113a0160dccee28L,0x0489973385dc8d7L } },
    /* 135 */
    { { 0x057efe27996099dL,0x1a26dd037304640L,0x1d0342561622dc8L,
        0x0cf3cb5dd3d6950L,0x108a2fade53daf0L,0x1f383564ab054d4L,
        0x091a9fd2f84c441L,0x1ccdabe7b365060L,0x0a5f8e8da27cca3L,
        0x1a8ee5326147949L,0x08c43bcc77f5e3aL,0x0f845940e7ca99fL,
        0x14a40da68392e0cL,0x1a869c7e08178b4L,0x16b80d45aec1f31L,
        0x193bae07d07c575L,0x0d1ea93c066b4d3L,0x03e8581f2bcca07L },
      { 0x1e7ea304dd94c63L,0x180e2b9c5859d2fL,0x1e328539ad2d5fbL,
        0x1d4a6a64ed2a694L,0x1c22d00607622cdL,0x035904d7b4b503bL,
        0x0ad29ccf06219f5L,0x0992ca99976c4d8L,0x0a098d3a1a84f3cL,
        0x0cb7cf696b9a5baL,0x0c086975547240dL,0x1a5e3d8a247fbfaL,
        0x05b2c1aa39e2ba7L,0x1c759493fcb9349L,0x064a9bf4b9d743bL,
        0x1ca1df574e25c32L,0x060a606b43a9b83L,0x018d8bc17ed5aefL } },
    /* 136 */
    { { 0x18dba454034db92L,0x1bc80c79a6e26c3L,0x1cbb7dd530ce8e5L,
        0x159aac75111a009L,0x1b5ffad1eaa5954L,0x0c5edc514eb644dL,
        0x16d1ea2b7d956c3L,0x0b7eff7085b19b7L,0x1b72e3a0380d320L,
        0x19ad8593e563e54L,0x182f2f62951d770L,0x0e33d749a4bfff8L,
        0x180c50fca6736f7L,0x00600c801ec80e1L,0x007e1347f6b3deeL,
        0x17782eb9ecb1eadL,0x11f57a7e6345cefL,0x037e07df29f03f6L },
      { 0x16d116bb81b0e5fL,0x0e952956429dc24L,0x0b50c9ce1fc360bL,
        0x09752258b26afc4L,0x09d5dcc13e332a8L,0x06c2e9c5b8e321aL,
        0x135383260bba50eL,0x1c72172aa797effL,0x12cb39bbc38fed5L,
        0x1633e4e2d621481L,0x08485efc1f69568L,0x0b5b4173c9ddd7eL,
        0x028ee9e0c655ac0L,0x045db71f885d896L,0x011ba4573cebb95L,
        0x0aa7e95ce4d3916L,0x1c8cb266012aa0eL,0x0380c9ad0d4a647L } },
    /* 137 */
    { { 0x058d41da4626deaL,0x1b3650adc81cfefL,0x0290c593996c97bL,
        0x1ae919f99f33502L,0x0f142fa99fe6daaL,0x038bcb3d5cd35e9L,
        0x08e6e932e85a175L,0x0ec25a6166cd787L,0x01f46a5dc8bf450L,
        0x03472948a10d607L,0x01881966ee8712eL,0x0a5db4d31720f4dL,
        0x14e54537072b4b5L,0x0f480b2fa81cee6L,0x15177f10a81ea7aL,
        0x1d6615071ffe7afL,0x00041991e5a3b5cL,0x0364b0f644b4e53L },
      { 0x03bdc1bc4e7eb46L,0x162abacb63da438L,0x1f359abf5d375aeL,
        0x0acad9cde69f322L,0x124971755635510L,0x17fd969e8fda861L,
        0x08af7f699e0f98fL,0x1ef7af3e3e7ddf5L,0x0a4efbe5417af9eL,
        0x077b2312d2adbd2L,0x1cc8e069c4cc11bL,0x14ff72ac4b4622dL,
        0x1a0b027e96db2a2L,0x041959de3505521L,0x17eab01163f9749L,
        0x0ff34a46831beb5L,0x153c05a89cbc49eL,0x0418441ec34f125L } },
    /* 138 */
    { { 0x19b1c6202557389L,0x0e74bd6f7e05e4aL,0x19fe0cc3ce0d7f9L,
        0x1e2d9f703d12777L,0x104428fd27e0c6aL,0x0f30c137b2732deL,
        0x047294f7a4916deL,0x1261146278290fcL,0x065cec3b9445bceL,
        0x1de018a6b3f6a4fL,0x0dac90c1e08d48cL,0x1b5f275a63a4d3eL,
        0x10c780890cd78e5L,0x0f22f7f4f93415bL,0x12ebfa9c0570d3eL,
        0x198d826ba9749cdL,0x18c43a378a47e3fL,0x011bb7cbfcb31c7L },
      { 0x06e1ec0ae575b99L,0x065a7c0dcb86e05L,0x00934e9ce51df85L,
        0x03f646b53be0147L,0x1bf629440b4b9c8L,0x0b2ebd468a88afaL,
        0x0f8ef3f4d6d0c78L,0x0f6ba25fd4565dcL,0x0629984a6f5182eL,
        0x121f179e1b2e847L,0x09c244c3cdb9c93L,0x1401fa68a803326L,
        0x0ebaf96dce698b4L,0x11b3aaaa11e27e8L,0x0c95e12982e82b8L,
        0x0c942a37b585b60L,0x0968ab4190a2154L,0x046230b30b5f881L } },
    /* 139 */
    { { 0x1fca2582d1f36a5L,0x1695944a62f96f7L,0x16e10f3b613c3b7L,
        0x05b61c77366b4b9L,0x0719a112290f898L,0x11b16b667075780L,
        0x1f91f43995f90e6L,0x028aa2d4abac4d2L,0x0269e1f778e6365L,
        0x11ef6e5ea8134deL,0x108c0110715f157L,0x06398e0aaf1bd9dL,
        0x131e489eabdb83fL,0x1cafe6da0def7dbL,0x076c00482d9e33cL,
        0x059912119f239ffL,0x162cbebc6f455f5L,0x00aaf53115a6308L },
      { 0x0be2f1f876fa42eL,0x143a4bfd6f773caL,0x03d4e32196bead7L,
        0x09bf00b360d25ceL,0x0b5a7ac916e99b8L,0x031e958675b0374L,
        0x026833b48cd5cb5L,0x1be5a1e4c465534L,0x12529998c3861fbL,
        0x08c4453e0df1885L,0x08a714362ab78dcL,0x16f07626a67b362L,
        0x18ff029708dbcf9L,0x0d41f7c41e53a37L,0x0ca111296804e87L,
        0x095751d209a3095L,0x0c32fe84b3dbcbdL,0x047ab879212c82cL } },
    /* 140 */
    { { 0x0b66c8a2ca9c508L,0x0df6134eb5bc06fL,0x099a23ab5800b71L,
        0x0e93ae4c282dac2L,0x0e472e6f61841b9L,0x13d43b20f207366L,
        0x05e82b68909907eL,0x1e88b73fa679873L,0x1b25e8fa97c15dcL,
        0x09267590974b14eL,0x11cb19f6cf65580L,0x1a56f834f088751L,
        0x066dd027ff8e2deL,0x1f3d15e34a5584eL,0x1c31d8fe26815f5L,
        0x0c4255b17e44d9eL,0x01d4cb268e7c8a2L,0x01e8b8f43d96226L },
      { 0x02ac16e8ce49820L,0x122f1606226e49cL,0x0449cfa1631093bL,
        0x188c64f9f21d8cfL,0x06159c1f918cb25L,0x0a2e59a1f1c3b5eL,
        0x0d1fadadb8380ddL,0x082c9707356ba24L,0x172e09274a300d5L,
        0x1559473440e08b4L,0x003fffadd6a10c9L,0x05946b2241be94bL,
        0x103209f4a30a580L,0x073549c03ff7416L,0x1b8472ad46005aeL,
        0x09d8f7338d8e185L,0x00416105af1ab9dL,0x011a74c7c1a66c8L } },
    /* 141 */
    { { 0x143520814db9cdaL,0x1ee23cb56f6487fL,0x09bebd162db6673L,
        0x0ae87d546308755L,0x01735d813f1f741L,0x02caeac8af0c973L,
        0x0f234d10688b42bL,0x06ce0977ecf8089L,0x12f960471be23a2L,
        0x01931c40ae8eaabL,0x008c2ddac776533L,0x073e183914cf282L,
        0x0c833c910df2e54L,0x032dc26fab58a0dL,0x1c0aded19f2667eL,
        0x0d2a03604a3f443L,0x093de5b52609621L,0x035109871e71d0fL },
      { 0x01b67a04b3ca1a7L,0x176a98060674069L,0x0da24cb3c1eabd0L,
        0x02b84b86b44599aL,0x0dd04d0636523a8L,0x1c9d1df66e9cac4L,
        0x0d4c1cf68d40acbL,0x0ee98bc1879abcbL,0x0ef9f5486132687L,
        0x0c3ff7e0f3a1149L,0x0b0a7a89397b7bbL,0x13e067093e34db3L,
        0x1240f2390508abcL,0x1fc9a1a9d84d914L,0x0bad5419e441cb1L,
        0x170e02054c703cdL,0x0303ee0740996feL,0x01a7837d54e2694L } },
    /* 142 */
    { { 0x09dc79f2348f005L,0x02eb8efa49058c3L,0x1f29b7b992926d7L,
        0x09d0549f69fa36aL,0x1957836621b7f73L,0x143ecb31be5c1a5L,
        0x1b2af24d0406df4L,0x1c62b21f1580725L,0x0280dc3737f75f4L,
        0x19b7a87b530d631L,0x160c129955a36a2L,0x0553b2610e14e9eL,
        0x12fc8895cc80d79L,0x048a49cfb68bd8cL,0x0756e79260e4be9L,
        0x1056b5e6c04fba8L,0x11a452d79e25caaL,0x03b26a3d8fa08aeL },
      { 0x1f22303a2ee8b9cL,0x1b969c2efe6a42eL,0x060c4204e8dc6e7L,
        0x167bce83ead6857L,0x1303bb5be28c523L,0x0dfcd7842bb12d7L,
        0x16cd249bca66ab2L,0x01c437d58101a88L,0x06a523a02d6ba2cL,
        0x18150d8bfe71432L,0x1a88d78c0307ab8L,0x06d4f69526228a2L,
        0x08c0cc89f745437L,0x0076c46f69e05cfL,0x0dff1c01206413dL,
        0x12e709e4d36ac79L,0x01009a1d53a321bL,0x00e06ece191851cL } },
    /* 143 */
    { { 0x1aa1f67c46a7d9aL,0x0199a5f6fc8e67fL,0x09d11e90bcb991dL,
        0x02483ff5528b067L,0x135efe6b6798005L,0x059201b84bcd421L,
        0x047717c184fd7c2L,0x1f8d7645f9ac9e4L,0x0e1b8b2a3a0572cL,
        0x0f075a0bca850a5L,0x12eca4fadb35306L,0x164a8e144bffcc6L,
        0x09a3d15a0a31a04L,0x1f97f6f4d20fbd6L,0x0e52803bfb617b2L,
        0x142b83eb03ebf03L,0x1bcaa3996b09ef4L,0x0296c5f1cd83020L },
      { 0x11536f6fd631a2fL,0x173f859a8d46e5eL,0x031e6c49884a47eL,
        0x1e57a1e86ba34b2L,0x12b0ea7052d4875L,0x1d5c4f4d76db69cL,
        0x064b02f42af72e0L,0x1b504f420c513fcL,0x06566a960102a0bL,
        0x104181be701b40aL,0x1b5e7d618e50176L,0x136db7951bf2617L,
        0x06efdaa3f597201L,0x091b5c494490094L,0x1f0b9ceccdee659L,
        0x11b4623a7c71c51L,0x05d70787f41880eL,0x0367fb1b3ed7252L } },
    /* 144 */
    { { 0x13d0433f89a8bb4L,0x02619c9dcc7b8deL,0x1b200d1c28b5085L,
        0x0fcbb4113d056c2L,0x1bf5fda698fcc75L,0x1e9a662a11aa77bL,
        0x174346217094e7aL,0x1945c41650b7d8bL,0x0e71bbbe1782a1bL,
        0x0cef6984dc2a778L,0x1265e6265fe9aa5L,0x1f51b03e788a2e4L,
        0x1760c1115250cf8L,0x167c22f554d1da8L,0x1fb446f26c3bdf7L,
        0x0c10192673c4773L,0x1e7c93e9c5c2825L,0x00e96410bb09f60L },
      { 0x181347d987cfc93L,0x101ddf8c3fc0839L,0x1274494328c411dL,
        0x01760ab7e67f4d7L,0x1a3af87c480091eL,0x02a055defcaf8d1L,
        0x0116f89a1ddc050L,0x05b331bee61affcL,0x0b398135fb723bcL,
        0x01187c60af5f623L,0x1860c17d558702bL,0x1e99b4c148ffc11L,
        0x04e16d4bfc7c0fbL,0x1a30bf490374ae1L,0x1830839d058d255L,
        0x1c56c72e330d295L,0x122fe2693122131L,0x012a4371b0529bbL } },
    /* 145 */
    { { 0x18795ca53572806L,0x04a24b2b4b470b0L,0x125cfecc8ebacb2L,
        0x0c81378fac29385L,0x079121b3fb15de2L,0x0655ddd4866d396L,
        0x10495b4be853881L,0x08f979b4def22c0L,0x025086261b435f9L,
        0x1b4361c61417588L,0x05b58bc69e472f6L,0x1da2c3444cd8a20L,
        0x06271d74a66b1c7L,0x012143d2133c033L,0x193c3ced7ffb686L,
        0x054e997ca07ff77L,0x1f1d7f7f0beb948L,0x03a8d91ac044249L },
      { 0x197b9d6e9c9be68L,0x05ae233e886366aL,0x10f5dd8acbd05e5L,
        0x1543689c235119bL,0x0aa8eca86d94a63L,0x11ec3ffd85dddcdL,
        0x01d77d2c3cb4325L,0x1136ea60c58bb8eL,0x0fed726ac499339L,
        0x0d3031c2bfce66fL,0x10e4a9d7e31d997L,0x1b2abb8ce594443L,
        0x02b66ecc8dcd264L,0x0c522c5d38027f9L,0x0af594fec6aa6b8L,
        0x1bcf9d52c89bf17L,0x075a9378e802ba0L,0x00a266096e51636L } },
    /* 146 */
    { { 0x13a0a1d2989aa3aL,0x19141acf37326acL,0x032f4cb9ccbb60fL,
        0x0a78796493d2716L,0x189ea6acf4c464cL,0x167e194ba852fc7L,
        0x0e02519f96efcd1L,0x0db937f573a6f65L,0x0f8eb74533b339cL,
        0x1f00fdf1dbb36f7L,0x150953bdaba89cfL,0x1be4f7cc3621662L,
        0x01dd818488555c3L,0x1df38a7cb87db6cL,0x063da4f686bce92L,
        0x17072aebe402f3aL,0x151dc08fc6b2465L,0x043a76799b5c254L },
      { 0x04af83ebbb3f6beL,0x07ddc845da11eb1L,0x02eb5e1cd49fd5eL,
        0x114c5c0884ac476L,0x1e236f79c3659bdL,0x1f93531481d8b3fL,
        0x04b3d5690c31b94L,0x056444a8f5c75aeL,0x1b73890d776eb27L,
        0x0da7b859eb146fcL,0x184ec14fab92b25L,0x0271cfe42e9d3e1L,
        0x1998dbae175b4f5L,0x0228c2403aa4167L,0x1fbc570ada6ef79L,
        0x15e329e4f2ca595L,0x14fa0a3ef2bb6bcL,0x018fdc2c0e72631L } },
    /* 147 */
    { { 0x18306d1615cd607L,0x04fd5551961d31cL,0x016ddde44c75a03L,
        0x146ce11601d0f4eL,0x1445297f1031013L,0x13cdab40a7d070cL,
        0x0fb51c31560ea9aL,0x1a60607397e962dL,0x118a7ca8daaaaf8L,
        0x198acf3ae6db452L,0x039ce348e053ebcL,0x0e311a1e9f3fbd4L,
        0x09dcdff032eb352L,0x1ea419c5d85bb30L,0x17541e996ea3aa4L,
        0x0a16830089b04abL,0x054844a223e4a4aL,0x04c1918000c70cfL },
      { 0x0a2102757f3d5a6L,0x12b24374656e694L,0x006c09547cefff3L,
        0x1f26bd7be32b207L,0x0083aa6eb26cc64L,0x1267a0b0308948eL,
        0x0c6d73662299a23L,0x03ab0387ee7baa7L,0x078c804a977fc62L,
        0x0c3a1987d6e517dL,0x02369320f33c08cL,0x143b4f348e0fee0L,
        0x1f4a915eb5c4122L,0x08091b304d47069L,0x1ab4a828b7855f7L,
        0x1650a8bde8764cbL,0x0aad0a22ade188dL,0x0455df1cf491706L } },
    /* 148 */
    { { 0x04469053a2d2f01L,0x018c9aee3342e5aL,0x0efc75d2809f49fL,
        0x1eb6a1d83ad5211L,0x1f3c2e2601da350L,0x1b77490e9eea2f1L,
        0x05e73d9b84742e0L,0x068fc07211e8e97L,0x119e7c5b998b878L,
        0x1a0e9ff5e9e8ef4L,0x1a3a347bd8166e9L,0x12726ce9c48ec78L,
        0x073e7e67f69b9ffL,0x1774f1240ebea9fL,0x0f66131a6370c9aL,
        0x1d14ea5e47db567L,0x095f95e31b06f8fL,0x0078ada6861e85dL },
      { 0x12f6635790a8d85L,0x1fdd7712cad78c7L,0x1b1892d44a1d46fL,
        0x166468e2bba2b6fL,0x0bc5441d7639b6aL,0x082c19866ea94c9L,
        0x18d8152003a93dbL,0x02643dfaea5edadL,0x1c0b7ffe5192906L,
        0x1452c12f7544c66L,0x16ea488a60899adL,0x036177a0d765d9dL,
        0x004bb6b0cb678a9L,0x057c754c5921b6eL,0x0a816ef3dea679fL,
        0x07d63725a1cdce3L,0x1dbbf8d0471f599L,0x028aed9bc101c2eL } },
    /* 149 */
    { { 0x043eaaa6f5bef22L,0x0934c101a438977L,0x0139e8ebdb1a54bL,
        0x0d351928063c989L,0x1001899a18d434cL,0x07520631f2eba0aL,
        0x01c8548e36ef3faL,0x1d194d991a52cf3L,0x073db6aee04acbdL,
        0x1b49946dbfcc9e7L,0x1e6efeb5178cd2fL,0x1926f83e2c6147eL,
        0x1f9b00a6de8c51eL,0x096c15e1a483992L,0x1167f25279ab2d0L,
        0x09c76b20366da1dL,0x002cb09b7109cf3L,0x016f0243f0d5fa6L },
      { 0x0b722f38dd9d484L,0x049c9be3bdd660cL,0x03c64f64ae2a0cdL,
        0x011c7f584ab1b77L,0x145f4a7d80d78d5L,0x1e614ef82804c0bL,
        0x027e341caffb61dL,0x1aecf57f1e58615L,0x092c567ea9a0820L,
        0x12d5897451d2b9cL,0x0bebafc155486d0L,0x1e4d729d4bd382cL,
        0x143d71e546ee1c4L,0x01f45f0e8f20a4cL,0x07ab82c96060ee1L,
        0x094608922f905dfL,0x06e6813a4577387L,0x037b56038e6217cL } },
    /* 150 */
    { { 0x18822ad4dd6e3b1L,0x070e656b10434e9L,0x0114b2b37a03f1eL,
        0x15508d3fc7cf087L,0x067e8ef2121cc14L,0x1a3a2447479ed3fL,
        0x0c7d36e0f45b934L,0x02e7743bb30f30cL,0x1dfab59770a4c4cL,
        0x18509831f6e380fL,0x075805b363fca07L,0x0617798ab7928c9L,
        0x005760412a22672L,0x1947d77b0150ce3L,0x1faab671c6757c4L,
        0x15f6a4f972d3decL,0x0cbf342530e719bL,0x0371612667fad41L },
      { 0x113024badaf8793L,0x1e67881ae4a4731L,0x1ade54d402fe512L,
        0x0c3a22cecbd340cL,0x1fd93c787991a94L,0x172a4acad6ed974L,
        0x1973c174b00dfa4L,0x0e59628b6313e07L,0x181ae48ca95aa1fL,
        0x01f938109ad3727L,0x1bd68926ca9f548L,0x120005afe546579L,
        0x086c6745b00687aL,0x0328398297be991L,0x037163cf6a2a1d6L,
        0x0230b7c7171085dL,0x1916b48bf34dbf1L,0x02d7bfe86cbe047L } },
    /* 151 */
    { { 0x1f9b950f4a224a5L,0x022ba6628139d2aL,0x0cc190fc7f55064L,
        0x161ca1ef0669f02L,0x09581712996801bL,0x048e9b4336ba01cL,
        0x1bf9f6e69017690L,0x0d1e3c6f3be2d48L,0x08d04a93f83bf91L,
        0x126419a995905e5L,0x0cd2c7dca87042bL,0x12efb032bb6933aL,
        0x1ffba14b5d8fbc9L,0x1b6d7a3b65759efL,0x16dcbd183fbc089L,
        0x160c497291bfdb6L,0x0ae5185c925b6dfL,0x013d4e1c0cb04eaL },
      { 0x1c37346f12a93afL,0x1b83e2a9b31a6b9L,0x035526064f440a2L,
        0x19de436d3b1df4bL,0x0788a0e24f83a5cL,0x189e4c02e5d851dL,
        0x1e130040c5e0596L,0x1e5fd441cb056e6L,0x1df9713a0e50361L,
        0x0a24d07e866116cL,0x1d4b9df178b86ccL,0x0d7b6ce0899e306L,
        0x15733e177a6e44dL,0x047716118096ef4L,0x17c6525a2d259a4L,
        0x110dfb3760a823eL,0x04495182c716acdL,0x00e34834a7def49L } },
    /* 152 */
    { { 0x1b67d173a880026L,0x07850092ecaf92eL,0x1544fdb2de92271L,
        0x02b977b94a520a0L,0x172bcbd33eb231dL,0x0ad01d7c67fe4ccL,
        0x1f0bf2d3bd352b5L,0x14b289a8f94450cL,0x196d885480ead1aL,
        0x152be7c65e45822L,0x16112c01795681dL,0x1c323a31412fbfcL,
        0x0852923c745e9e7L,0x1faed99ccabd137L,0x0fb43234219ede5L,
        0x1a4784aa6811cc7L,0x1391596e5d5689aL,0x03dc609eb528261L },
      { 0x1c43aad52fb6901L,0x189fc8b65129d97L,0x0c29456ab718700L,
        0x0cfeaefb8428eb0L,0x1723c0ddc93d192L,0x1cfb6d137297477L,
        0x0ddb4bc783ae0faL,0x07332f3bd05e300L,0x143e28ecbb08349L,
        0x116a8ee51ce1c73L,0x018ea6a38fdad66L,0x1474973664e0dccL,
        0x02d2f8915d4cf1dL,0x08283c893729a45L,0x14e0fe979d78f81L,
        0x1f6535dff9cae41L,0x0d01d6d53cc8fd2L,0x0071e1f7b34b7a6L } },
    /* 153 */
    { { 0x1c337c121ee1d83L,0x047b6bc3dbbc41dL,0x1f304e3e933a5f8L,
        0x0f40691cb17ee13L,0x055e672dbaf7764L,0x0f62ee827c5d5e5L,
        0x048603b4a4675f5L,0x15f19cc97fe67d3L,0x0ac09fc5724b059L,
        0x03418fcee2f195dL,0x0899dd196bdaa54L,0x1ccd92fe3ff04d4L,
        0x16bc6087fd3c5efL,0x15476e358a8af06L,0x1e7b4a6c68e717aL,
        0x111707bb02d761cL,0x11c6cc13769bc37L,0x023184c71e04952L },
      { 0x06408c7c8bd0fa7L,0x12188e735ef249dL,0x0420a0fbdefb45dL,
        0x0f336bb271c62bcL,0x05a49a6b8213cc7L,0x14f268d7bf8ac0aL,
        0x1275b403f6c3f94L,0x0a4aba71eef9ccdL,0x0b4f7ccc01bd4b9L,
        0x0cbada4d7b8fcc3L,0x167f2f3593402a3L,0x0a094b4775ae256L,
        0x042b5c89f11860eL,0x1d1f118fb6cbb02L,0x032ea4bfb431965L,
        0x1c23cb02298662fL,0x05ae2e74c066698L,0x03fc7e849d1a45cL } },
    /* 154 */
    { { 0x04592cac19428afL,0x10e409d184332f9L,0x004b8c2ef5fc64aL,
        0x0706d8d77284b13L,0x198e498710db072L,0x16b7a5ce3d20f4aL,
        0x0b1122bfc5e79baL,0x07ce1f1f372eb0cL,0x06b3b02376f2198L,
        0x0ec1f4dcc7328a9L,0x149aa35d4486289L,0x10353ade3b4c765L,
        0x05a5a81f7495082L,0x12343a38c6fbc68L,0x01f63335e7b9567L,
        0x0d92a40c194aecfL,0x131427a84ffa847L,0x043db2628f321a8L },
      { 0x1f46f654b30d3c4L,0x0262e11da778a43L,0x1d998f2935a337bL,
        0x139e7f6adb676e8L,0x0fd7d46a1df3426L,0x14d45eea789ce20L,
        0x15f4a8edf1f1da9L,0x069dcad6993975bL,0x1b28ff342ac9423L,
        0x0237efd3c378ed1L,0x145272dc0320b80L,0x1f02a12ccb2f9cbL,
        0x09fcff4bddca30eL,0x024929342251030L,0x0087ce03cbd979dL,
        0x177a1cb6caa59a8L,0x0f577ea9c2a042dL,0x0464a933e6ce031L } },
    /* 155 */
    { { 0x055032e5fc1abb1L,0x0d7aa097f23a1b3L,0x1580a7c17bd4885L,
        0x0bb83237d3facaeL,0x008639b0b0e7332L,0x1f3339bd59e32f6L,
        0x155559d41fd4470L,0x15ac717df8790c2L,0x15d0188cf42f0c4L,
        0x01d180e6c4b0c36L,0x180fdecb19d07a1L,0x1819f479a3a008aL,
        0x1d4a40672ef7545L,0x02dcf46efb0957fL,0x048b5d15865f27dL,
        0x0b37f68a646fb0fL,0x016bf132e3a4b2dL,0x0457d0db9dc2535L },
      { 0x13596eae793ac70L,0x077c7777b6e8835L,0x1e89c108b901325L,
        0x1dd3cbaec724d69L,0x1512aadfc8c71dcL,0x01cbaf9a97e5b87L,
        0x0ec4c6dee84e2a2L,0x1a2af3227200b18L,0x19692092a97740fL,
        0x0d6ca2d8b05834bL,0x0d0e20420deac86L,0x0389e2e976e378cL,
        0x01ab1b80eb76ee1L,0x187622c53088dfeL,0x0b4cc96f20aeb21L,
        0x15b91ddcc024e62L,0x13cb4118b1ab240L,0x0339088c895ad04L } },
    /* 156 */
    { { 0x1e99306f55cf9bfL,0x029845235cb6cc8L,0x187679e9977e6c1L,
        0x038e6379775c783L,0x04d58a61453cb15L,0x03a6610a5f2913dL,
        0x00358e76b248a5fL,0x1be9a1ef48b045cL,0x1afeb1d51c62b03L,
        0x18ee1d25d50c596L,0x11c5e37cadd3c2eL,0x114d12d6d466fe7L,
        0x141dce055ffcd32L,0x152715c3f4af6a2L,0x16773a65fef1dadL,
        0x0cf83cbd8cfe3f4L,0x1fe052368accc03L,0x03e431c8b2a7251L },
      { 0x1e94b5eca7388cfL,0x005306019ae9c2aL,0x1e2d85be16e85f3L,
        0x1e2024530136d36L,0x1cfd0a79705d02eL,0x0f71a92b2d37400L,
        0x076b7add2a5b5f4L,0x01eb91065da84f7L,0x096ea8528e6d533L,
        0x06c43158c692774L,0x0e3b567fe4e7dccL,0x1344020c04a539aL,
        0x182303b3ff690fcL,0x0ea95a34e316c45L,0x0b4b64ff10b5e93L,
        0x008700df1bf4519L,0x1ad502360906092L,0x0192c13ac7e742aL } },
    /* 157 */
    { { 0x120e45f359e8c60L,0x1dc529b2650c375L,0x01c77fe384431c6L,
        0x069927caf00562aL,0x1829d0d8074e91dL,0x1541fd601937005L,
        0x08278f064896189L,0x10470f4c9abf653L,0x1caaa3d34e5ac5cL,
        0x16b42f2d6d16d14L,0x08099faca5943a3L,0x1632ec7005e724eL,
        0x0edf6b1aeaf7184L,0x12f3092e91faee8L,0x01ca86af87e8d1cL,
        0x1875fac50ff3a19L,0x05649aa93d2ac57L,0x00d273538aded3bL },
      { 0x0126ede554d1267L,0x0a2998e6815a40dL,0x013338c7ec74dfeL,
        0x1612fb8025ae15eL,0x16c7b6c5cf410b0L,0x048842c9870e8b9L,
        0x18e3e40bfb9071aL,0x1be6937494ef3f6L,0x0a16c5821acd6f8L,
        0x19dc1e09703b567L,0x140cef94074537eL,0x08a441e5a5b4d71L,
        0x0d99df18800593dL,0x0ff599d31ba9293L,0x1bbd15b28c8d472L,
        0x1b915b22687783eL,0x032c74857db35b9L,0x042b53e49c2da74L } },
    /* 158 */
    { { 0x007d0020d0a5583L,0x180eef6d232c550L,0x0590d364e6f8bc4L,
        0x014e18106d2380fL,0x1e81e540a0cb678L,0x05645c605a6fcadL,
        0x188e5b2ef34d175L,0x16caf8a5da0a8eaL,0x1cac2dca41805ceL,
        0x0af7355bc9a212aL,0x17bcc493268a9a4L,0x0c5f18258ce86cdL,
        0x1b7dbb7c3bbd3b9L,0x1115dcadd55b278L,0x118edd0f039154fL,
        0x14c624811fd7589L,0x0403ca773122a4dL,0x031444842631b6dL },
      { 0x057fd538cb8d208L,0x1c004aa1f836a52L,0x0553cbbfcaadea3L,
        0x17ee4a2fcf6cdbcL,0x19389d2cfddb28eL,0x0dc46700a4ff337L,
        0x10fdde7a1dcff61L,0x1808a5c1216174aL,0x1deb9b5cfb0b03fL,
        0x089a245362f6bbdL,0x07cf3e3ff00dc8cL,0x08dab83698946c1L,
        0x138fa59be92bc9cL,0x06d81348f3379dfL,0x07e23e44e5afd7fL,
        0x1bfc7e3d8b3a801L,0x158c29034562ad9L,0x03cec09162d6d26L } },
    /* 159 */
    { { 0x0d4e4ceaa529507L,0x1040a3a32ae800aL,0x08e13c3f11d015aL,
        0x146887971d81a61L,0x17f1728d8a8203eL,0x1077a919e317d84L,
        0x074fa28e373f6d4L,0x0a141f21abaf959L,0x128a7b0bf873ceaL,
        0x08ad71d363620e5L,0x05c76a84e04b074L,0x174ac49aa0fd46aL,
        0x097e98f42f25d4bL,0x0b5209b8c8ed694L,0x0796ddfff5ac7a6L,
        0x1ee0fa8d8424b6dL,0x17ac7d2b42420c4L,0x01559d7cac0a12aL },
      { 0x0ca074c6a5372a6L,0x1dc1f2b1495d3c3L,0x1b71ddd073d5ca3L,
        0x02a41de93ae8ab2L,0x01e4647270b4ceaL,0x1c562e8a397f1a3L,
        0x101c7d35af598feL,0x0c28dca59938217L,0x128794efe371a34L,
        0x042838c13b7f43bL,0x155dce6fbd6ad29L,0x13fe7e2b902bdb5L,
        0x058f8395c324c2dL,0x005b542a8c44a87L,0x0200f86eb90265aL,
        0x04bdc9ea7c45915L,0x1caaf233f61039dL,0x003ed961a928204L } },
    /* 160 */
    { { 0x1f3b8db037d4703L,0x1846fe2fa445ce3L,0x0c3e11c7500ba0dL,
        0x04b45f55d23f750L,0x1404fc1ea55ee8dL,0x16ab28e172df882L,
        0x1d7e591f5409ea8L,0x17e6f4a7818fd75L,0x07adf0bb295b30aL,
        0x13170ff6b2649ddL,0x1063038bbd29e16L,0x13b29a59a09efffL,
        0x175ea0af02139ddL,0x07f7cd67929fdd5L,0x1856a9df20403a8L,
        0x040d2e98a709b90L,0x159cb28682d9fe5L,0x0045b6547e7beebL },
      { 0x04e5bea036c3b5aL,0x130813fcf95a5f0L,0x15c0a5e5f03ce1cL,
        0x17050f3d4753f94L,0x007f0ddf1656180L,0x1870438a99c4ddbL,
        0x1ff1e668488f19eL,0x0321a3011d93b12L,0x09470711a916edfL,
        0x07a97958390b88cL,0x0ca7ff462222dbeL,0x058a998df200bb1L,
        0x05eb24877fef1e2L,0x1aa3ca92e201b0bL,0x1851a2bf6a548ccL,
        0x17411ac454842d0L,0x1d25d043b0774faL,0x01619bd810698d3L } },
    /* 161 */
    { { 0x12305bcea22fa65L,0x01f7a68acfb1d3dL,0x01f4fcd648fef86L,
        0x0d823aeea668e7bL,0x0a054cffb27fb30L,0x0c2b0cb8173f359L,
        0x14714f3a7e5f2bcL,0x0b706aa04869cfaL,0x1a63e3d82f356acL,
        0x13dbe556bb22898L,0x179abe99c7f2761L,0x1dbc560f9aefdd0L,
        0x10ffda51933b985L,0x14a16e1b03eacc5L,0x18862a6c43b28e6L,
        0x1ab942fe7b9dca0L,0x1c93d94e8d106b7L,0x0284d931a76c418L },
      { 0x1b9414e48caed54L,0x1c63665fa8f4bd8L,0x123537a6c961de9L,
        0x1923dc7af148d11L,0x030ee64c0024137L,0x0c86bc5347c91a7L,
        0x1a42d5cc956f220L,0x09883d1c0bf7500L,0x050038d84ec354fL,
        0x0c7816b6fd2940bL,0x1e401f32d8ff6acL,0x01f7d315c8ab88fL,
        0x025d0e319d29d48L,0x0136db8ca5622e9L,0x0d61ee741bcd5d4L,
        0x0ee4ee6773c4058L,0x152224839922c31L,0x00ac96ad3aa5dc3L } },
    /* 162 */
    { { 0x178d9a2cf7453f0L,0x1c4cd76c1e0f82bL,0x1b4f82a0ae9ebfeL,
        0x15d47aa1035cca0L,0x010aa38b32c84e1L,0x1be820cd6a94604L,
        0x1907ec7f6c082f4L,0x1ecf1ad97c3a0d9L,0x0d287f0f02e74b7L,
        0x0e692bae21dd811L,0x03cbcfe069c6cfdL,0x03eb8c67cfe8da5L,
        0x1cc4fc580ee65bbL,0x1dbd83d29972fe0L,0x12abceb35554e7eL,
        0x05a5b6b5288e387L,0x17cb958bdf44cc2L,0x00b0a5edebbd13bL },
      { 0x01f0230ed0ab04dL,0x03d803710417526L,0x118f10b16d7eb8dL,
        0x1fbc03326b3e217L,0x05dd0825b0539e6L,0x076d0b6c4dea73bL,
        0x128ca48983fbeefL,0x0bf1554eab9cc55L,0x0ed762fa95ec82cL,
        0x0f326008c3283b4L,0x15891724b8d2326L,0x14ee63d4dad0afbL,
        0x0b07b447360db88L,0x0b8eb87f7780095L,0x1e246c2e4d5ae50L,
        0x04145cd160c5007L,0x1283a54a53ab79cL,0x0244b2b63d80583L } },
    /* 163 */
    { { 0x03649ba71353c25L,0x193d089fb3f1272L,0x0ce8707ae78d45fL,
        0x18f1c537f2217a6L,0x0743f15d94e1c05L,0x0d16f8427f3ecbaL,
        0x0ef86721d242243L,0x16304807f4ea6ceL,0x17ebf5db41baea1L,
        0x1f0571a920c0756L,0x161cff0bd430ff3L,0x15ace0cc39b23a2L,
        0x19a51e8c2c16851L,0x100b084cc014b46L,0x09fa95b9f46a737L,
        0x18930562a791351L,0x1cb6d41b78906e3L,0x00415d974eb3b4eL },
      { 0x180ef46c4d6615fL,0x14ee080dcc14e30L,0x1b003ec9932bf18L,
        0x0c21d98589bc445L,0x1eea2c4dc5457e0L,0x0e2d964ae72ccf8L,
        0x043e410cfe9ca3eL,0x0a7dc06a8c59ac6L,0x084c57c3bce2e22L,
        0x047618d4b6c3f22L,0x1f8e4e914b169dbL,0x0281408f646a617L,
        0x18c018545ec592bL,0x0e0bc6233dec5f0L,0x08c016de538041dL,
        0x0a9e6908e328c5cL,0x0422665e237622aL,0x01b228d23480e48L } },
    /* 164 */
    { { 0x1802d1819893e71L,0x12ec5a9cd10410bL,0x08048c0bb3f285dL,
        0x166cb7eb3bf8d5dL,0x0d232a808d4cf51L,0x140213c3ba0eb90L,
        0x0e7b2b0d0facc63L,0x194aa7d965fce8eL,0x0aeca79a81a8b07L,
        0x04ff9912b7a559dL,0x175ca4fe8747dc2L,0x135dec55342cbd2L,
        0x12aa08ddc226056L,0x0dbddaa52f3bb11L,0x0f55b9e4feafb0cL,
        0x17dfe914412ace8L,0x0f1749cdb12eb0eL,0x0382983d234dc7eL },
      { 0x08e4c04e488310bL,0x137192992e6bdbdL,0x02c1260fbeb049cL,
        0x1805bb7226ba1fbL,0x17b9685c796e552L,0x0f9251877651fbbL,
        0x125e66dd9ba26c5L,0x0d8f84e6dac91dfL,0x03d619685a8021cL,
        0x119f13c505978f5L,0x1a61e6d9db5ac3fL,0x063235e9c17d2b8L,
        0x1136c4ee55a0747L,0x0cf2f9dcd17d5afL,0x12bf9b9a4e2e3fdL,
        0x1a2403c229b4873L,0x0ecc9595ec36a6aL,0x0407bcde82bf315L } },
    /* 165 */
    { { 0x0ef42a760af09b3L,0x0b75ec99eff0a1eL,0x0783b617aaa0f00L,
        0x1f9d547792e419eL,0x17106f97d4f5e99L,0x134569390b5ce95L,
        0x1947d97cd30db25L,0x1bd51f70578b618L,0x020f42f1cf2fda4L,
        0x198d596690fb2cfL,0x1ddb1e84f45863aL,0x004470cc57cb6f4L,
        0x10cad08e0bec441L,0x011600c06412ed3L,0x1be7ff664a641e4L,
        0x116a0ec477b4055L,0x119de84f4f3f5c5L,0x02fad2ed26c127fL },
      { 0x137257e7e8311dcL,0x0a7a8a336789b2bL,0x1916c172886b7beL,
        0x1805c9566f4e7c2L,0x0579165b38ea9b3L,0x0580d23bb07564cL,
        0x156137ff7411f09L,0x1b4311a9fa27f72L,0x0faac38b825548bL,
        0x13cd3782cf4ee56L,0x1dc83c2689c03c6L,0x0aa9f714fc91307L,
        0x0847a1fad58cbbaL,0x0d5eb5af1c50ccbL,0x1c5bb084615951dL,
        0x120f6ea227a63e6L,0x0891391e7814212L,0x0298ce40086e0acL } },
    /* 166 */
    { { 0x120136e6b61c3afL,0x0796f03da5db411L,0x19fce0325fc0750L,
        0x00d5186274ca3bdL,0x0011ca10a978ba7L,0x0fa22d9162c3eb1L,
        0x1139922ee8862acL,0x1f318bd5e0fca08L,0x15549f02a442fccL,
        0x0b23a379ec0249eL,0x093d85e70116449L,0x143157b9110e85aL,
        0x0aded38f8f1600fL,0x091d75a32e5c300L,0x0715e2a92fe6e42L,
        0x1d429ac7fdc6a3cL,0x1f0f3c9c5acebb9L,0x01e8998a6f88d27L },
      { 0x1cc662db4513d1eL,0x05462eaaca95ef2L,0x08ff9fe1b42b79eL,
        0x08f409e18bd146fL,0x0e25d06cca2d12aL,0x09b038a6334b721L,
        0x1872d49851a62c8L,0x0bde9a4e03713edL,0x1aafd617780efd9L,
        0x16b9d6262ddb483L,0x01d2b10836cd6b9L,0x1bc9e4ea3f4093dL,
        0x16a1fa2edd11631L,0x1bfebca6d94fb99L,0x0be4a993101a192L,
        0x198ece79643a7c4L,0x0adeae904e62043L,0x033f9454fd99163L } },
    /* 167 */
    { { 0x017b258ca148ab5L,0x0cbb7d9e30028beL,0x1a6323ca37e6e68L,
        0x09d1a8a02fd44c0L,0x0578a42287b2cc7L,0x1f63991b92b9948L,
        0x0ef120757b8945eL,0x1fdae823f9e3a91L,0x146217e6b487f5cL,
        0x1803d62a0f5c70dL,0x115e9b816803232L,0x1a57a5f3f533883L,
        0x1b40941cad1f954L,0x1c14a84e9b85eaeL,0x1b297bb921e1e70L,
        0x1f73c9826eaa4b9L,0x1b2e8ef7fa4fd3eL,0x02ff848ba0de8deL },
      { 0x11912a4579c6632L,0x0d227dc51040abcL,0x0e114d58e74eec6L,
        0x177879379de9f2fL,0x119e6410e57e2bcL,0x0becd689159f95fL,
        0x1fd987c0627684dL,0x098ceaae776f3cbL,0x1444e5c98ef2f3cL,
        0x17b0f1002688398L,0x08d9beb1d758d75L,0x190c590a9e461bfL,
        0x1e0ad0850b9fc47L,0x17b906196025721L,0x14ef27573a53d90L,
        0x074c6cfdf5ccb4eL,0x046c27d30d3b037L,0x03340809d14b90bL } },
    /* 168 */
    { { 0x185d913e84509dfL,0x05f6ee799c9bb09L,0x174cd08e8523a5eL,
        0x07dd196af25be84L,0x11c4553c43fa0aeL,0x1f8ea4780a9b4e9L,
        0x09128173c22ef7eL,0x0675bfe97cd2888L,0x001635f81a35ddaL,
        0x02e44a4f3b7d5beL,0x1ff37859cdde0c2L,0x0a5944a9f1a497aL,
        0x06413ec985fd8cbL,0x1d481366310b453L,0x18786dfcb6e5d05L,
        0x1ffbc72c5dcaca1L,0x11fbee0a346d3beL,0x01d9adb9785efd5L },
      { 0x1f8de9f535c3749L,0x0f907c56ece245fL,0x0def23e3d98c8f0L,
        0x0bd1e75c9352eb6L,0x1d5e26282529e47L,0x03178ee197886a8L,
        0x0f8d96b034a5d9eL,0x0c4278f26710a99L,0x148f004ef4b67e4L,
        0x11bd0a872e88770L,0x11de374a0a2283eL,0x14cd9f6e7e9a92eL,
        0x130780495296830L,0x0bb05b4a4fa2200L,0x0dd726608cf1c26L,
        0x1f3390681994a4bL,0x0853f62e40bc771L,0x023e850f5e6cae3L } },
    /* 169 */
    { { 0x06f4fff652811f1L,0x05549b177980113L,0x0955432e832baabL,
        0x1400fea8ced870fL,0x002f2673a350142L,0x0e3732e3fe88151L,
        0x18f6576bb95c0cfL,0x03cc0d05d860c94L,0x146cf0bb0462b25L,
        0x1018652aed49b73L,0x0983c90d0996d43L,0x0576d369d1eb90fL,
        0x0c7ad7770a9637bL,0x169d0ad3300fdacL,0x057a5847c851fdbL,
        0x0742c0b68fabc53L,0x05ccb0ca9b38321L,0x047a5b0a524cad4L },
      { 0x0a8ec194b4eb3c1L,0x04d6210191d382dL,0x0c893db31aaa315L,
        0x168bf34b4601a92L,0x0897abbb0e53b9bL,0x166be8723778880L,
        0x0d623fa1cf95f5eL,0x1a2f9f99fca1ef9L,0x00ea53d65c85557L,
        0x0ecf5a239447971L,0x17b7eb03ada2a3fL,0x08e010c07419565L,
        0x0900feb06c58221L,0x12f2e55634a3234L,0x1246ba60133d6fcL,
        0x0bd5db0ab30b13fL,0x001ed9378b173c4L,0x047ca168129264cL } },
    /* 170 */
    { { 0x11ec3028e845808L,0x15ffd5bbd5fe28fL,0x12e7e365f71f0c0L,
        0x087558b2964d5faL,0x074d94dc3d3a83cL,0x12c88e71dba5e8bL,
        0x0b3491192dcdf2aL,0x1fcc524aee70e38L,0x1419f24853b4440L,
        0x0d35079f02956beL,0x0a035a11b21b037L,0x13f5f0649e84c8aL,
        0x0807cf117aa2568L,0x06ee4edbe3a568fL,0x1bf2175589b7a82L,
        0x1d6a6a4c406e72cL,0x0cbe0ad57c3f3b1L,0x01c1801294a4e0dL },
      { 0x0ef5a405e744723L,0x1e7ba8d704240d0L,0x0333fb07ddbf6d6L,
        0x03f566ff8d57f5bL,0x08fedb78fba5d83L,0x09f9885f1cf1246L,
        0x17092973eb57eb6L,0x1eae8ffb63d227aL,0x1052a47c94518b7L,
        0x11046b63e7da193L,0x172e71c394e2fa7L,0x0eb2b762f22d626L,
        0x005b3106c736352L,0x0104dd8351603c4L,0x11412b74b50a81bL,
        0x1c0696a4b68e3a7L,0x1a5c9f4b368822cL,0x00af8c3cb75a0c2L } },
    /* 171 */
    { { 0x14dea060aee4684L,0x10f833e6dede404L,0x0526c64c4c650acL,
        0x03034fb74d4873cL,0x1c2ae80fea4bdd4L,0x011ee163109b831L,
        0x046c6d62c259c4aL,0x108e887aa2b064cL,0x02e16f83113c203L,
        0x071026b15ecc969L,0x16f35bd064e22c3L,0x1a3a3a6ef18e933L,
        0x0fc5ddae73492deL,0x0ca5b12cceadebaL,0x01b29a35204f54aL,
        0x18558323b39ec1dL,0x038562179eaf3e9L,0x030a378f9cff709L },
      { 0x106d33e078e2aa6L,0x17bfbcef74932deL,0x1e076a903a11a4eL,
        0x11373480fdaadc1L,0x0de9951905fbbb8L,0x16dd1cee7a256e7L,
        0x1dd2dfdc7e34c24L,0x1d6ceb6bb4a8462L,0x07456a251a5f605L,
        0x018ea57c3d1cd4fL,0x0c001816d1d2f64L,0x17e56ccb5523b68L,
        0x156631eeb4bda5dL,0x111bbe2c2e8d1efL,0x1742ffc0a0527bdL,
        0x0cbbc5c35e9d2d0L,0x050e0ea087582a4L,0x04aaa1fcf035e80L } },
    /* 172 */
    { { 0x1cbc6f485d7c6efL,0x00426b1d8de127bL,0x1a22fe32e98b2b6L,
        0x0d68ab8325bf219L,0x174fc6ed98e4b68L,0x11003bb0a35c6abL,
        0x094a5c388e279ebL,0x1eaa48388f2c384L,0x17d2215103884e5L,
        0x16906710bf14139L,0x067d453c99d3e35L,0x00aae18023b7c62L,
        0x19fcfb760e85459L,0x0f46150cefd5baeL,0x1f52c9e5518d8aaL,
        0x0d31896da7f1494L,0x0ffa5c87104ee5dL,0x036da1a3c15d14bL },
      { 0x04864935c3f0d95L,0x1edc1273a444a83L,0x1d89acbcf912245L,
        0x0856feae97ee7fbL,0x0f732723c60edc5L,0x1688a65f0e04d15L,
        0x0bfe5f4d19a75f2L,0x0392c8cc0146435L,0x0b94e2bbaed0cd6L,
        0x1370d20ef623a87L,0x1a6436c6a27d621L,0x1ad9e4eb2d27437L,
        0x00c0e0dddfc39e4L,0x0cce452088e7dbcL,0x070c143c2bf35ffL,
        0x18dc99d7ff5b6dcL,0x0944f3981b096d2L,0x003d3c8f395713dL } },
    /* 173 */
    { { 0x10e90471e9f0300L,0x09d6cde66fc8273L,0x0277fc14c1e3809L,
        0x1d5d1268c4a3805L,0x04846845f1ef092L,0x0d6a5a1648548d5L,
        0x19ec8651bb683c7L,0x029e0eca1e667beL,0x1c6e988db0b15a0L,
        0x17063375aa1787cL,0x0d8c478300de3dcL,0x1b555d0d2a1aba9L,
        0x0db35f1c8f548baL,0x0a268d6a3400b1cL,0x11c74c84a78c85aL,
        0x09bbd32a3759080L,0x0ac03cc29f385e9L,0x036b5661722a1f6L },
      { 0x1999e9557b2d299L,0x1e6cdf1eb90e6f5L,0x013eed32d110e8aL,
        0x13b80c1f545cc07L,0x0c987cdeae17770L,0x1b7df6ba787369cL,
        0x1effe688df3e041L,0x108d35e2a26f307L,0x06c3f7a1d323f95L,
        0x110e567b6db21ccL,0x004d3e59c0f648fL,0x131f70727eecf9bL,
        0x1c2e82522207558L,0x1c92553e0dad945L,0x109ea2ade1e6705L,
        0x129243b66f1e502L,0x0eed5a451b1ff28L,0x03ce8c1091e9e23L } },
    /* 174 */
    { { 0x03edff9109d5589L,0x0975a014da24c8dL,0x14c2d2d52b7f7b5L,
        0x0344f7fece27d73L,0x07f0f4604f9214cL,0x1287142640bf73bL,
        0x188deeb7e360f0eL,0x1838bb807932804L,0x15f29581b966647L,
        0x05b5044c50343f9L,0x01f3b0c58d145c4L,0x174ac5cea3115cfL,
        0x0745e2c3fb2001dL,0x1b3e99caaaea70dL,0x1a10bbaff2b37aeL,
        0x0b01743415f3978L,0x1c850590a2b3e88L,0x039882248d3c266L },
      { 0x0ca2cdf2648d676L,0x0f652a78d8958a2L,0x1250a60387ae6a1L,
        0x1235915512373b5L,0x0719e195f30d370L,0x181bcbb983955beL,
        0x19fdae9463208bdL,0x04f58121c295800L,0x10e6cfc708dcd29L,
        0x1ac44f110f3ed31L,0x0a902e0dc71f193L,0x17c51ef0f193695L,
        0x0bd84caf3f1f9daL,0x0f070ec97bc576bL,0x0909370f0e7741eL,
        0x00132d017cbf624L,0x14ff41b214d0bdcL,0x03547c7e4a8c062L } },
    /* 175 */
    { { 0x0a1ed6353235132L,0x119f8acedd445b1L,0x1148a47bf76076cL,
        0x0f64a2235d0ac4aL,0x1d701bd8c750529L,0x1a7a2edac90d7c8L,
        0x1cffed34175ca5dL,0x070dc7a98bde31cL,0x0897d985f899b30L,
        0x14e187de44d8aacL,0x0b468d344c60722L,0x0d744446641c792L,
        0x0201ceed02292e8L,0x0c1f984fe7922a6L,0x03f468c9e917dd1L,
        0x0ea70eb4c20595aL,0x1d7db4f45d2cb9cL,0x023a96c60ed941fL },
      { 0x14d6cead5dff4d5L,0x0afeda2d413fa28L,0x18313f1c4d79d33L,
        0x1037caef1c20e14L,0x18dc6b08dec0bb7L,0x1e124b138f0966aL,
        0x062b2dd94226d52L,0x064dbbe58c6c321L,0x1fd6ebac6675288L,
        0x1516812e1284578L,0x0b36a1373f07c3aL,0x0d508aa217c0278L,
        0x0d1a8868011c783L,0x17d792a29c82344L,0x0c2a23590c4caaaL,
        0x168e092d0aaee50L,0x152569491ca8744L,0x01d328c79bafdc2L } },
    /* 176 */
    { { 0x0a8ed50224042a0L,0x071d8122978f355L,0x1d31da084761b2dL,
        0x13de9aba7fdb94bL,0x122d46e54e0fe3fL,0x0233ba99d471522L,
        0x1406d6663887fc5L,0x072292d8a1deb25L,0x069104c2f83a677L,
        0x03385e5a395df80L,0x020ec940c5def4aL,0x180afa4e25451d5L,
        0x17b439c994c5d8bL,0x0e6d0d7fa0f7c98L,0x0e3dbee60074ea3L,
        0x1f041ad0ddd6ae0L,0x017e80c5cd0fbfbL,0x02a0561b1f6e12cL },
      { 0x11969a9fe7f43dfL,0x09c04160dcf2653L,0x1f621670a45f999L,
        0x0b2d5488095b2ceL,0x1f1297dabaca954L,0x1753ef074ec2affL,
        0x0fe387d8625ec8aL,0x1bf2ddb99fa6de2L,0x0627d307016e200L,
        0x14f839b64c4c452L,0x0979825fc8c749cL,0x0437ec090ea52bcL,
        0x094019b299af7f2L,0x135a58eceb34130L,0x1375e8c76677824L,
        0x02bd3d88f9ecc35L,0x14f4de9f2b36ebeL,0x00bed99767d0b4bL } },
    /* 177 */
    { { 0x1ef69196cf40599L,0x086fd806010753aL,0x19eff2abd9e5fa8L,
        0x0711bbacf07b4b5L,0x055bcfcd0d663caL,0x025e3f2d10fc7f1L,
        0x018cba70fd4e38dL,0x09a6bec563aa91cL,0x1654f242543c6e6L,
        0x1aad3d3134c9b13L,0x1f17dec3d04c931L,0x1ef2744301e7476L,
        0x111e81675b05697L,0x129a147ab67c2fdL,0x14a2c09b4f36cd7L,
        0x1f6f1c7542b22a5L,0x05da8470255f7a3L,0x02305e80dd0ca22L },
      { 0x034dc23c24d8077L,0x05ac0263906965eL,0x0445bd747ffa0bdL,
        0x0124f079c5453b5L,0x15904af3578af52L,0x1508c8714fa8d5dL,
        0x177c11b15c35fdeL,0x0a294a45f74ae37L,0x1bf4e2a06ae89bbL,
        0x0cd9ae62cf9a226L,0x0a0d9c9b30955deL,0x130b5f9d82ef860L,
        0x0b7c36cbd094a4eL,0x1ae9c83bd6d7beeL,0x0f892f3b4c6de1dL,
        0x08436a5ad209e5aL,0x18dc5ca26691f95L,0x03e9a161e0b9a43L } },
    /* 178 */
    { { 0x1cf2c0a11fd127fL,0x1b5dc08cf262f72L,0x0949bbd5ab0d9b4L,
        0x1dca860ceac4356L,0x0c3e961930cfeaeL,0x1e7338976f13e95L,
        0x130f5904d44ebe3L,0x130c2b38c360ebeL,0x1d447efe959069dL,
        0x1c6b7b4753b5754L,0x17186c3d6f4592bL,0x08dc3d11773158bL,
        0x161ba92320dbab4L,0x1c4c4c32b0c5c58L,0x02dfa0a83abecf1L,
        0x0c17618f5798581L,0x1a710f09b6e20d1L,0x02df057d3472631L },
      { 0x0ab6d381bbbf49cL,0x0e724c60381ff41L,0x0d77843d098cf82L,
        0x03b4b48a65d94b1L,0x1618f7b7d9cc658L,0x07bff383f0c43b7L,
        0x01af81066978c94L,0x0d376353d21bcd7L,0x0584a7deb373591L,
        0x0759a44a8a4ed96L,0x11a8cec3aeaee0eL,0x016185f1152428aL,
        0x070a2db0190067fL,0x031f379f5ef06ffL,0x081beb6e946c1b3L,
        0x1b81543224f73d2L,0x0aee4eb5e87fe80L,0x00f37e67aea6f18L } },
    /* 179 */
    { { 0x17dff66aa8ac924L,0x0d698e14c59f45aL,0x0ca597ec20301baL,
        0x1a3b2b927fa281cL,0x0a180caa7dab211L,0x06f6b4b6b46c214L,
        0x1187c6a4a502288L,0x065502a2ea671beL,0x1ff5604ae60eae9L,
        0x00dcf24bed72605L,0x0ea5ff7898ba264L,0x1349e21093068aeL,
        0x0f64724f1ded69dL,0x1542d0afc7fd011L,0x114de5357c70b93L,
        0x00fba98c4d9d202L,0x03780440cd6bf09L,0x022916a30aeed54L },
      { 0x095f079ebfbe7c5L,0x10ef6c2779a2344L,0x1adb5286ae58c3aL,
        0x04a14618d0e2d53L,0x0043bbaa1a4a5d2L,0x0872faad0b318e0L,
        0x0155af441d40940L,0x0337ffc7d3a7b18L,0x131b30b18077724L,
        0x07fbf78425c114bL,0x0df5d7c868630e4L,0x0c6aacb771f0018L,
        0x0a45e3bceb18d0aL,0x11f85846dd60ed1L,0x0f16b1470e3a430L,
        0x03f8de3743544bfL,0x0ba09d5256bdda7L,0x01a3280d4b6bf20L } },
    /* 180 */
    { { 0x0be448ccc2b0f1dL,0x1a2e4d6261b81c3L,0x19767f25aeff8faL,
        0x12b5c4ffb4a70feL,0x1bc18089cef3c4eL,0x050c50d0047bbb0L,
        0x0cdc7cdd282108bL,0x0a9dd105084a76eL,0x1cb6fc6d87cc093L,
        0x044f60db0a4b6b5L,0x10a6e5278c97121L,0x14a4f7bd82cd525L,
        0x0edcea281315c6cL,0x1d108aa7caa2277L,0x041873cd1a0faccL,
        0x081771f64df31a7L,0x16dc3b08aa806c9L,0x03e0ea167f2aa64L },
      { 0x06e703fdc110aa7L,0x1bcebf9b171bc3bL,0x1d756ab728f2adeL,
        0x12c17c66e7a4b38L,0x06c4e8ff2a6eca7L,0x1b82dffa3a25258L,
        0x12d4eca10b33bceL,0x1703475eb555c60L,0x17bbfa2011b2d31L,
        0x05d375d25f7446cL,0x1597395972e0e71L,0x0d2db5efd9d05a6L,
        0x07e695974524808L,0x14a7cc1b963e667L,0x0468c9bbf5bacf3L,
        0x1274c1467699e70L,0x19014203f43fffaL,0x0018f4c1439e18eL } },
    /* 181 */
    { { 0x1efecfc765a17ffL,0x19c4468948532a7L,0x111a4e3680e2827L,
        0x1b42d35a8d7e4cbL,0x03a62fe84bb6145L,0x04305299e7c10a1L,
        0x0e31158b7d5c6afL,0x0eb7e5521f502b8L,0x145ba1d6e17eda8L,
        0x0cec40d4a37d2f0L,0x0f9e12e43d68edeL,0x06f9621fea54d83L,
        0x04a4f4fd360910aL,0x07169dd061c60ffL,0x1e9861f0c603f16L,
        0x06b847c5fe0a162L,0x11c3a00059b943aL,0x024a69b22d14662L },
      { 0x18426b64ba021f8L,0x04841bcb6f5b61cL,0x0e55f8db1d8b453L,
        0x14ea39e42cda5caL,0x19b24a198f556ecL,0x1061576d650f000L,
        0x09ccd1e21f6912cL,0x1af27da999bfe83L,0x18d717c445c7c0cL,
        0x02431a548dfb804L,0x051be4ed66eebf3L,0x1673cac49e2b43eL,
        0x0d303f8443dd38bL,0x05f8827e4b6a0d5L,0x1c19609ad9c3c0dL,
        0x001ea0a07f3da52L,0x0f3768e1f47b342L,0x01e7ee62f5dea63L } },
    /* 182 */
    { { 0x16c2a86b523e13dL,0x0522c1490685029L,0x11e39d5c4a58405L,
        0x0cfd6a37d47aa56L,0x07b0e9190574606L,0x144474384fbc30cL,
        0x1f3500a2bb621a1L,0x1e6f35013afb295L,0x050c6032fe2129aL,
        0x0f25f394c1e2041L,0x0c6eedeacefa39dL,0x06596c318e51306L,
        0x013f59c4a4d31a0L,0x16a7b0f11b6ec2dL,0x15c5c576fb38d17L,
        0x1d7af74f5599a3cL,0x0a1138c58da64a1L,0x04494b6879e8d77L },
      { 0x165288fcca82c97L,0x160968a13f46e58L,0x1c1d30fb76a49b1L,
        0x1dd5403d7ccd529L,0x10f5e86d94600e1L,0x02b5188a55e73e1L,
        0x10b09d075c0832dL,0x0d1560b54264f3eL,0x070b60fafd42384L,
        0x0c77f6098c69cf3L,0x1fc6b22482cc628L,0x1751b0733c07d60L,
        0x0e3c81a30101e3cL,0x066333ec32fc499L,0x1a181f2ba2f29f7L,
        0x142599dc35cf344L,0x0543182e64ccac0L,0x04919d17b958d26L } },
    /* 183 */
    { { 0x17e8df60acbee17L,0x0ace12e127e6e38L,0x021f953ff2c03c2L,
        0x15a50a22d68de13L,0x1ba1fa51b993decL,0x190c1f05fd527c5L,
        0x1dde6724927bf43L,0x043f27966b12d08L,0x1284bfb7f2322d4L,
        0x066384d6a157804L,0x1c89d26ec758550L,0x1674e2f878d58d3L,
        0x05bb9c5eeb76f50L,0x123c1dafc590f4cL,0x1870f9d63ec66baL,
        0x035900990d736a5L,0x091aca59092f297L,0x015d9353490f6c1L },
      { 0x0a3443515f81416L,0x13973d57fadda4cL,0x13780c5c987021bL,
        0x18b81439fc7a3ecL,0x1368340131c0786L,0x1cda66aa17526c5L,
        0x09fc4bddc9ce868L,0x1b829fcfdc397deL,0x1ee7fc09e16bb27L,
        0x06e660ba0872ee3L,0x199d08650ecf770L,0x16c07e63836f468L,
        0x19c22c107092934L,0x1ccfcb3580c36f6L,0x06c224e8dfba2e9L,
        0x1a9bc1e77f96849L,0x108bae614472e92L,0x049be59fc70cb75L } },
    /* 184 */
    { { 0x1c0e77c16fbfdceL,0x1a664e4c6a6602bL,0x15c9095cb483a80L,
        0x1800335079cec0dL,0x115971629861b55L,0x107ebdc05d1401fL,
        0x0aa883d05077416L,0x1d910cb2276961bL,0x0e6685746aa3848L,
        0x168ad2d1f0242e9L,0x031dd0eda417745L,0x16fb0315e575038L,
        0x14d2b74b78cec31L,0x0a1f1794406c78cL,0x0c1f073299676c9L,
        0x09180637074fb3fL,0x01186537fdc1f10L,0x026abdd83bc2c35L },
      { 0x04b768a53b396b6L,0x1926249da8ed65eL,0x07ae8c2b86cef22L,
        0x0b28a28f8a67ca2L,0x179fe3ce893bbd9L,0x0905ea366430188L,
        0x18580d2c2859cfeL,0x107665225d6d64aL,0x0bc69a2a49d168dL,
        0x04a4f3d7786e894L,0x0d066a1c9a6786dL,0x08ef7e426ed64c2L,
        0x09a4f9714706c58L,0x1dcdba2ff2ad8c8L,0x17cf2158f5badd5L,
        0x1f5c76a6cb65211L,0x0a80e257e4355fcL,0x00833e08c4bcf95L } },
    /* 185 */
    { { 0x045508432bf8883L,0x0943537e83333e4L,0x1e3ddf08cd751d5L,
        0x145e945929ae161L,0x1118acf5678e60dL,0x0dc86cd2346c566L,
        0x044133a4e0c2efdL,0x149d49638e9da9dL,0x0ac67316d27776eL,
        0x0c56bae1b0dd589L,0x0f520a64489146eL,0x0440a614875d864L,
        0x0e3292d5a526440L,0x0ff678de1d22299L,0x19ee2e36d21a52dL,
        0x0d5bdc9c0a2dd8cL,0x125b3aa595fa430L,0x03f27b848f9a74bL },
      { 0x13816e9b7f70919L,0x10b768b5801fa9fL,0x1fd1de326795d94L,
        0x10614a30208d8d9L,0x05e728dbe6a5abeL,0x0677eb77b7a4f32L,
        0x1cfddbf75cfab2bL,0x187d8729cdf186fL,0x173320802b6407fL,
        0x04747bd4b312e5eL,0x048d8df2afec026L,0x13be80fe6b35065L,
        0x05ccbfae50258baL,0x1f128c09ff80d77L,0x1c72e87efabab3bL,
        0x19b6b38d3e2c307L,0x0bd512c58ad9eadL,0x015724e6a366674L } },
    /* 186 */
    { { 0x039b0e3c40849f2L,0x15266d22084c609L,0x0a67951fd92544dL,
        0x08f537758cc2a6bL,0x13547af692e4bdcL,0x03d3a50cad0b232L,
        0x08aca17b2cc662dL,0x05a4f0aa7f93bcdL,0x1471c038a0e2ba5L,
        0x15d0dc41ade5d49L,0x1d4369bcc7b2884L,0x07ed0056658da97L,
        0x113c64c8c4d146eL,0x1769094b864e009L,0x1a14c3eb4c3c4b7L,
        0x1bca336eb7ff738L,0x1b723c0ad3e8918L,0x00c074ea9539bb8L },
      { 0x116542f29ab77b0L,0x08ece7bd7731461L,0x1a14d4f0bd03750L,
        0x089615c99e08980L,0x15fc266f638dc7eL,0x17f5bed04920c2cL,
        0x05e618e7699c7f4L,0x054ad0b1daabd47L,0x17a694f3158f383L,
        0x0a119e3698b6c18L,0x0b2c98c28d69eeaL,0x0fbbe3fee2765f9L,
        0x0559eee2f3fef8fL,0x0ab6832545cda29L,0x173f3f346d3e46cL,
        0x1d6822ef0cd845eL,0x1b412bc25663777L,0x010e5379e6c55c2L } },
    /* 187 */
    { { 0x0162b13a3e66635L,0x10515954fbb5787L,0x08c11b6ccd587bcL,
        0x0ef005771b568e7L,0x0699b44c0840bd7L,0x1103f8adb5d7af5L,
        0x004171b8464006cL,0x009cbbc2d52f216L,0x122b12f15db67f0L,
        0x02fd6a2c5012e92L,0x1da54f7c2845086L,0x0537e8a06981799L,
        0x001c277bff4c421L,0x14054f0c07ba020L,0x0aa8ad1b9102d30L,
        0x1b29eecfbd1eb08L,0x0353de20ab805e8L,0x02d7fac2c90113bL },
      { 0x05acd20a8458e40L,0x0abec0a4b995ec0L,0x04c57c729cb5695L,
        0x192a56a6478e0e8L,0x0494fadf7f2e269L,0x1e93332e2c92ab3L,
        0x0a19454edeb3469L,0x0d74dbe0c7b0dfcL,0x11e91db1357d53bL,
        0x0caddc4f49f5680L,0x0786bca58eff9a4L,0x1385104f110c7aeL,
        0x123b859b6ffab2bL,0x1b814ee8bbc1b34L,0x0611585b9a545d3L,
        0x1b0938f30f0ecf7L,0x17764fb4f1d5907L,0x01f55bf0e446c54L } },
    /* 188 */
    { { 0x13a94b652e5718bL,0x17d2a7a6770f4e3L,0x198d54fbb7ab8ebL,
        0x16be759434ca9d3L,0x0d083316f2541e1L,0x1fca876b894a448L,
        0x0f929e596bd8fedL,0x179b1f93c1b8e9cL,0x0b4ee48d2eaf79eL,
        0x02c543545bbc3f3L,0x1d887fdf33abc29L,0x1dffbecf301bb18L,
        0x02f91067278228eL,0x183f1b149086a3aL,0x1c78a7647d8d406L,
        0x1714a882ec38cf2L,0x144c0ccc65f03a3L,0x01a48ed279c704aL },
      { 0x106d046cb062eaeL,0x0db9aae843bb6b3L,0x0148a48c574bb9fL,
        0x05880577b701bd0L,0x06ed33374078566L,0x0b4769afc9a92e1L,
        0x02c79b3a85359f5L,0x0eb22d42312cd11L,0x00fbd52055dc716L,
        0x19e883bf22baef9L,0x0c402bb0248cd60L,0x1a02d9b0a7129d2L,
        0x05432263682f9e1L,0x0dd267ebf75e9b9L,0x13160e100745cacL,
        0x02fbc6efb573aaeL,0x018aeaa695880d5L,0x006421efeb568adL } },
    /* 189 */
    { { 0x15811ffc9373300L,0x099954cfee18022L,0x0070d4f2d95470eL,
        0x152d507a4fc3377L,0x12ee3f1a774b924L,0x06ab63e5fe47e5dL,
        0x0bde6bc9e3b1004L,0x17edfbcd05fc157L,0x07566d0727339aeL,
        0x09ad6aeb8902edbL,0x0f9a51c1472742fL,0x0901a7460cf96b7L,
        0x14572d7530577dbL,0x1036c29e96387faL,0x0afed77a1856bb3L,
        0x11daee33339960bL,0x169eeefc96bea0aL,0x016e6234e9afb6fL },
      { 0x0a6cd06c65f0e77L,0x03cc05eb8d8a566L,0x1e2cf24f3003773L,
        0x075d197eaf6c443L,0x16f8e63fddfcd5bL,0x10995bde494b9fbL,
        0x1278ba61228d01bL,0x034998b3407aa3dL,0x19c9d32bb3a3308L,
        0x009082940742335L,0x000ca86ef9ca540L,0x0ae449270891856L,
        0x0eb6bba0ffdbfc6L,0x0054a40174b9506L,0x0762f1fd830293fL,
        0x14171ec588398b3L,0x1fc820c96ee312dL,0x02d0d32ede6defcL } },
    /* 190 */
    { { 0x1ba691a42485684L,0x08b5c94e23864dfL,0x05c798a8146584cL,
        0x0cbfe933b569603L,0x05238efff3245aaL,0x0eaa8ae177c3fa5L,
        0x0b2b305b71aeb32L,0x196b4fe44fc5b7bL,0x18dedaac4a9bbaeL,
        0x1984536973e4c42L,0x1cbf0b9a25564ffL,0x050a2efc0c2298dL,
        0x06300b1bee3655fL,0x09e0bdaa531f468L,0x05d098afb4339e4L,
        0x0806f94957c6b89L,0x1d9f4b44a17bc4eL,0x02d74a84cf7f2fdL },
      { 0x02e5ee7804f7455L,0x124cb9103334109L,0x10c5de578cccd06L,
        0x19c91df9db2fa49L,0x19fbc21c12f4123L,0x11d1d77439c6c90L,
        0x09b6eecef718419L,0x0ea6c07b1850b27L,0x1926227f2e3c1acL,
        0x15495602f55728cL,0x05bc2ff5a04ab3fL,0x1089f85505b8b6bL,
        0x1a63522b273ce7eL,0x09433c4a9c20240L,0x1621a220d8222c5L,
        0x0f95843ff6f984cL,0x0980ca331612f4aL,0x02088333f51f6e9L } },
    /* 191 */
    { { 0x1830357c2d04b63L,0x0d1a6fa494d0c40L,0x1b688b46577cff1L,
        0x13968648e78e77eL,0x0997f13814df2f8L,0x0b027a1a2d7f2e7L,
        0x02b97638fd7e62eL,0x1e75af285d2a182L,0x0cefd5447eed25fL,
        0x1b4728f0739e066L,0x0b5646ad53e932fL,0x020a256c3918b63L,
        0x13b5abf7608bbc1L,0x00f3cb24ddc9948L,0x0332f9f6c48c6f8L,
        0x0db73a1507d2208L,0x1ea3dde426f90a9L,0x00e675b229a6f88L },
      { 0x1210c4f0c6d0f55L,0x0fb0dce339e4e96L,0x0466a738feedb2bL,
        0x192760c7c9baff3L,0x145a93be135f494L,0x0977be2c05ed9e0L,
        0x0eda9361c8cc83dL,0x1dce9b0edd11029L,0x14f6f723ac7a97dL,
        0x0f15c781f1e6c19L,0x0bc20ab9c809c1fL,0x05a9bbf490dcc2cL,
        0x198d3a17c6e88ecL,0x1cc00b8d6cb2e42L,0x1bdac898b967950L,
        0x16406156c50bb77L,0x0a33cf451954d48L,0x00f8ba919a7512fL } },
    /* 192 */
    { { 0x08a765b3467ea91L,0x119777e96ce22c0L,0x11b673caf1bcfd1L,
        0x006b30275cf6ebbL,0x044cbd8defc8d24L,0x092b1111f65904fL,
        0x1866966e8438c85L,0x1eff429b2687e3dL,0x1df97c21bfb0c48L,
        0x073144875186a1bL,0x1b8a919451d70b1L,0x03c824cce54b650L,
        0x1c31aab3b8291f0L,0x10be91764e37ed2L,0x13c2eb6dc9de96bL,
        0x125c37b11db0722L,0x02bd0b05d1b6a23L,0x0265c57c832c49eL },
      { 0x0b02057bb4b1953L,0x045a27acbfb7751L,0x166d79904b21338L,
        0x1b679a92330a9ebL,0x0e42bb5d1913262L,0x073fb04813b1723L,
        0x105b20d57239b5eL,0x0311df55048716dL,0x0d0173790e550f6L,
        0x0c57a3172bebbc7L,0x0b57a1c56d1c504L,0x0d8683bd49f342dL,
        0x12280ca61090059L,0x1ba632d0954abe1L,0x0201050bebba000L,
        0x01f43b620a24ea0L,0x0fc8c1db931ff08L,0x024352e12ebcc3cL } },
    /* 193 */
    { { 0x121e213941b4f36L,0x07d8a7c01da7c82L,0x08b94a952ea2eabL,
        0x151fc8f2d9fbe3cL,0x18dbacb6acfabbbL,0x0efd28d703c46daL,
        0x05bbb7e635cdb06L,0x0362ab850d46b4eL,0x0be7d46769c8646L,
        0x05b1c07b1d3252fL,0x1064527d8249894L,0x0fa145bf8b66296L,
        0x15cef466ac0919aL,0x14c35576622a6d2L,0x09273b64fe92891L,
        0x0eb5aa12162e2e3L,0x054602f1d6cc1faL,0x02e934fc4bc7260L },
      { 0x074030c14920419L,0x0ec34484b439c9dL,0x1313badc3e98211L,
        0x1bb3f8b79703732L,0x158f8f2dabcaa06L,0x0e29550329ca13fL,
        0x06ea8d7217d9ec7L,0x068b4fb1ae45922L,0x14041005caec2d8L,
        0x0c345223d4729a3L,0x18602e37944b0edL,0x0dca4222d1d609dL,
        0x0b2317cd8a4daa6L,0x108b26fb605eaedL,0x0eb5f2687506175L,
        0x04d0759db944c3bL,0x10f0fe4b5ac09b0L,0x04564ccad136caaL } },
    /* 194 */
    { { 0x0c8dc9b2640a39dL,0x1859c76f064fcd9L,0x06f687b2e82887fL,
        0x1a101a082ee9e8dL,0x149946048a902ccL,0x1b558af4ab7d197L,
        0x1d248d23e173e5dL,0x0cf843f8ddc00cdL,0x135b1ebfefeeef3L,
        0x0022c0e2309f2f6L,0x1fa39ba9ae81c5eL,0x14652a1ae7db97bL,
        0x161da48889ddfcaL,0x0dd7fde8e4ba3c9L,0x0ebab9f3a19f233L,
        0x02591a4ce863e39L,0x04d682550458979L,0x0063e0eee6bf50fL },
      { 0x1aa30cc1ce963a7L,0x17b266262fd6f29L,0x0be0a0a2befdcd4L,
        0x0d9442420e57354L,0x05a576dc64273c5L,0x1ae3be556ebb2a4L,
        0x1ce6d865ab0fa42L,0x18841a87d3fa355L,0x1fc392062cd05cbL,
        0x00b1c392607f97eL,0x0ae360aba087985L,0x12867f4f47e19e6L,
        0x0df644ca925f58fL,0x0c8c53afd75f8e9L,0x01d84603018558cL,
        0x04882f3136bdad7L,0x1abbf342445ad41L,0x0127fe4d70efb19L } },
    /* 195 */
    { { 0x1fcdc0593c7cb2bL,0x01dcaac8029fdc4L,0x0f3d8608d0f3049L,
        0x1ecd8314c6c03bdL,0x0c913287364546eL,0x1c4618d2948380fL,
        0x1df5f0d6e009be5L,0x0510a570c5525a3L,0x11809cb050aa797L,
        0x0bea33e51e59002L,0x11df027bd6e51a2L,0x1885e4483309e41L,
        0x0df35bb206c3372L,0x14e0a05aed029f0L,0x15beccef09b1b42L,
        0x072d0c39f981996L,0x1a41c3cf9ef299bL,0x044f269e8a0310dL },
      { 0x15e80e7a45a9be3L,0x152bc039ab7dee9L,0x18bae59ef0bf136L,
        0x1c8f9a2dc6030daL,0x1f30ce9ba702679L,0x0327a865178e012L,
        0x0759bc4816d187eL,0x13cffadaf2f0a0cL,0x047edc4f68a0880L,
        0x0d60224cd269d71L,0x119929b47e76a17L,0x1d09af5074e3f08L,
        0x0ceaac33f19f30cL,0x0a431155f49c15dL,0x1a07ac87c0ce0c6L,
        0x16b8f606f4975eeL,0x0fbd156a90899a1L,0x033ae9f37f378e8L } },
    /* 196 */
    { { 0x1767ffd707193e5L,0x05548c081ac72ecL,0x07fcca363bdf91eL,
        0x10db77b34eac69fL,0x1e215686913a0eeL,0x0ced1c1bcd94b43L,
        0x0d34a40fd042a27L,0x16bb3f1af723626L,0x09fe74229bd82efL,
        0x1ab45b11c01e3bcL,0x068d434f494d136L,0x0b60e4892fd127dL,
        0x16a169e23b559c3L,0x062da634e2396a1L,0x11fd4c4261918cbL,
        0x0f1113edaeb3b07L,0x04ba91cf1db1e49L,0x02fbfc97f30578dL },
      { 0x18a1cc60545167eL,0x1170157fd447078L,0x1d450ca9ef3d57bL,
        0x054ea210cc499bfL,0x00511af77382da4L,0x178a11f44a608faL,
        0x14abaa93938c4aaL,0x06b187a6de1ec7bL,0x1fc5c9550d76606L,
        0x0929b989bf53f55L,0x135660e6e543d80L,0x0c0281cc688454bL,
        0x0ef2ac704595a0fL,0x023587b9c82f11cL,0x1215e2912eb3039L,
        0x0f00699a840dd88L,0x18d367b1aaaa5bdL,0x012df676c8515a2L } },
    /* 197 */
    { { 0x19a73820c33a8fbL,0x1b6688792ee0e83L,0x0fe31b520adb3efL,
        0x180f7f08949ff8eL,0x199162f03e51f18L,0x009c08d3b2891b2L,
        0x06282b1669d3850L,0x1632af4d0cbcaa0L,0x1e1ec51bde3ca09L,
        0x0063f59d4b0129fL,0x0ff451f780fe12fL,0x1da2a5f7b613d07L,
        0x1dcea15ec1c0540L,0x05930983b5d2976L,0x0e5c81bcf4c3b55L,
        0x0e75537af75d1d0L,0x163f20d86920963L,0x00530b525e1d85fL },
      { 0x075f3ed6e1339c9L,0x150395fc5805310L,0x120af3366d1debeL,
        0x1e0194a98fbf5fdL,0x18bc31ae4713158L,0x06fe45224881789L,
        0x15352be63c560c4L,0x18993de40eab3d2L,0x1e8021af9c527a0L,
        0x140093bbd0c9011L,0x1d4e31fec08dddbL,0x0e9fd193d2a2c6bL,
        0x0d15cc90975df19L,0x1bd288ae0143fd7L,0x0b188f7e81ca3c3L,
        0x1741321b7f7cc1fL,0x04ca8d40fd40311L,0x043b68aa703e323L } },
    /* 198 */
    { { 0x1a4d6d2c2d3ea8aL,0x1340dd421300769L,0x0037901c19c8dafL,
        0x1cd4faf4f78a7e2L,0x1d5e1a83e3e5b6fL,0x04be153734ca7caL,
        0x040441f2b3489d8L,0x04825b31b754cf2L,0x0ddfc4461102e0eL,
        0x00aede16a499395L,0x03992ea50d9a592L,0x163465657f20fc7L,
        0x05d928e28b4960eL,0x1503be4f6d22ba9L,0x1587401cbdd6ce4L,
        0x028ac4eec1976ffL,0x100af235d1b0f4bL,0x01820611df3b68bL },
      { 0x10dc55b4efa9a70L,0x120a7a9f4330858L,0x044c27e289ff537L,
        0x0a0ccc3a787b2b8L,0x00eb513e505109aL,0x1e99c5e5514ca53L,
        0x19c7cfb9054dc79L,0x1689fa28bf88ca3L,0x051bbf838cbc313L,
        0x01cf03c0f5c90a8L,0x05ad1052fd6b1ecL,0x031117c1a919d0dL,
        0x15dd8f2b6f2d667L,0x15c53fc55f49d97L,0x1dd4717077f479fL,
        0x0e97d0c567bb321L,0x1a21eb1ad58a32aL,0x02a436bcd0f5de4L } },
    /* 199 */
    { { 0x12e34ffa1359e13L,0x0c6df940cb028e5L,0x08f48d592d7880bL,
        0x0c85ed5825d2bc0L,0x1653725dfb1340bL,0x123356aa1dd4295L,
        0x1ca2e06bb735a34L,0x0cb7ef00448a8f8L,0x1559f8a119569fbL,
        0x02dbd316fd91764L,0x01d5027bb579494L,0x0510533ede220e2L,
        0x013db6f8c79c899L,0x19e53cd4d3eb493L,0x08582c0c3adfeceL,
        0x0813595733771f6L,0x18bd2012568d28bL,0x01c078d87ad622fL },
      { 0x0b99e6be6a0068fL,0x1e79564539ba9e0L,0x1522cbebadf12d9L,
        0x126804c1874d934L,0x0c0f739e7f417f9L,0x04a4ed4772b42aeL,
        0x1bbffc22d443de0L,0x17762ee1f851ab8L,0x0b4f5abeefd96a7L,
        0x03d889b79332d15L,0x0e0292d80773e68L,0x0c282c57d98c5f6L,
        0x16ee6b83b3cc803L,0x1460bf759a4c7dcL,0x1dfbf0baa6c3f5aL,
        0x0167cb0696b7542L,0x05e929044f55b11L,0x0255f6ef6f5eb94L } },
    /* 200 */
    { { 0x155e1b9700ef376L,0x12ecd3366d5ff99L,0x15d51fa1d91b55bL,
        0x1401ef26d367b84L,0x00c52e2928f44b8L,0x14d9c90461958f5L,
        0x08e7569e37848dcL,0x0d68308a33564daL,0x123f6b4b7e0ce4aL,
        0x1afb7c5565954fcL,0x0f1153881929648L,0x006837e60c5d771L,
        0x1b94dff6f937efdL,0x0553fd0335d6341L,0x02cdd170cd92c7aL,
        0x1f61e0c2cee559cL,0x0d346f08d08d1e3L,0x0351055d98c7099L },
      { 0x08310166a85cbc7L,0x084a349a7cd53f5L,0x02239de3c6cf426L,
        0x1e448f6f3384422L,0x054484ce7ea4ff8L,0x0c61b2598b8eb8aL,
        0x05160a500e5253eL,0x02cbb5223e72fbeL,0x0a6b58093094391L,
        0x0fca84d0ba11c5eL,0x1460860825d635dL,0x004348f24ba1fd6L,
        0x14af8a315eae0c6L,0x15d6825b874a334L,0x1c911f6b9ebe28dL,
        0x0dffc8982bcffe0L,0x1775184668aa545L,0x022f1a9d3df9b5cL } },
    /* 201 */
    { { 0x005676493092f71L,0x15b617adc96b8bbL,0x126f8b22db17ad9L,
        0x1441806c7d3b662L,0x03cd7097f62f583L,0x1c8b56344566998L,
        0x06c3a174303e3aeL,0x1a237ee8c590983L,0x1c76ed5f97c4a6aL,
        0x045c45d688cf9b4L,0x00dc6faf942e0fbL,0x0a110cce0d4cb37L,
        0x03f8373d2c0cc69L,0x152d017da98e3adL,0x0e6874138734e8cL,
        0x0667dd04e8ef1b4L,0x136edfc5bbb75daL,0x00aca0f92653cdeL },
      { 0x0e8c0f8a77dd512L,0x1acd38ee1b2fb21L,0x133421d4e18aa46L,
        0x1ba4e5f595d01a2L,0x0027cb5a1624230L,0x17cf81f751f60b2L,
        0x0523705c02d6707L,0x1e3a823824e1b46L,0x1801ee448c4181aL,
        0x0f942accf1d4805L,0x1ec2f43426bff7bL,0x1f2d166e0048bacL,
        0x00e6f836b8d839dL,0x1e9900e49db183fL,0x0740aed4e0b9622L,
        0x083d2c6db14d6f4L,0x10370b7db769686L,0x0368be1a508c7d6L } },
    /* 202 */
    { { 0x1608841c181c99bL,0x0e480e43dee57e7L,0x111cdc836afad97L,
        0x0ca6eea2b768c16L,0x0a96c2774c79c39L,0x007a206a23f9170L,
        0x00eb4365484c0abL,0x141066164d7920bL,0x0e25e977a928904L,
        0x0f57fecc2e2858cL,0x16f2de96b57da87L,0x00339146fdab9e9L,
        0x101e9850b6cbcd0L,0x185c7302bc236ecL,0x04cbe406b20652aL,
        0x1c51772e50ae268L,0x14e4ce9f149f56eL,0x00d5cdad21f4f0eL },
      { 0x06dab92314fa7a3L,0x1787823c7fcb190L,0x1c4e41367f6f312L,
        0x1625808bfc999c2L,0x1d8f6d7dac20a2eL,0x1db7fd227e2a3c7L,
        0x1dd6221b9cb1729L,0x1aaff48a536dfadL,0x14df1d1b192a820L,
        0x0c097cf93c4f8a4L,0x0bc20eaaed4f48fL,0x073654075665308L,
        0x10b151250226485L,0x198fb5eab18e704L,0x0db98d384a53455L,
        0x0cd5f64526c3b28L,0x1ed8c4281c43ca9L,0x01259a4ab610d59L } },
    /* 203 */
    { { 0x1bdcb86659824e2L,0x067242709f3a624L,0x0899aef87ba9b71L,
        0x0e3c7d88af49803L,0x0f5a8e4b47b2b8eL,0x19a986bf458af01L,
        0x1480ba07adb9b8cL,0x13f59746d3c2f48L,0x081241431d70e4cL,
        0x0c857a59f095f5cL,0x1c148c47d21bf70L,0x03c253f6579ca64L,
        0x0bb70f6c089f6c4L,0x1ff5a23bdf3143fL,0x13c62ec51e61428L,
        0x1a081f9fbf62337L,0x1f9925c292fda80L,0x01096b2f2bf1e2dL },
      { 0x1adb386ca15cf08L,0x1256240f0b97591L,0x1e4d350b430137eL,
        0x06e8809b8f3a3b7L,0x0932bfcdd9cf607L,0x14154c30284220fL,
        0x073026ba4432871L,0x0612a51f8308358L,0x0e6a120aedbbed6L,
        0x07070f618667928L,0x12e953962efcbe5L,0x169f3f54882bfd0L,
        0x07ecee7ce5c66d0L,0x17d3439d062c78fL,0x07c4d21e8750fadL,
        0x0f56f2d8d8b4073L,0x047e6ef9aaae672L,0x03357d2aa4d2e12L } },
    /* 204 */
    { { 0x05aaba8c980e91dL,0x07a84b564c77d6dL,0x182a368c998aa4fL,
        0x0001028a7d61321L,0x1d71de8401d2153L,0x0cd00915d8699f1L,
        0x0e39d197db600f8L,0x118b205fe98f150L,0x174e2afb7193134L,
        0x04993abce7d82bdL,0x1a9908eb40fe3e9L,0x048ab1ff4814ec3L,
        0x1977a87e30b7d4cL,0x04e426935af4e06L,0x0658e834717b6ebL,
        0x17e1bd95107347aL,0x1dfbc6f2f35ebf6L,0x000f7831886ac55L },
      { 0x1f903163ecdcbb0L,0x16b9413e0e4aa95L,0x00c255d724c0678L,
        0x132d3072613ca4eL,0x1cd082df0dc1c5aL,0x0bf028f7cfc07fbL,
        0x06d57364541d77eL,0x189e50dfffd398cL,0x1352db38f80f24cL,
        0x0cdccf61b291d71L,0x0a32a042c412a7bL,0x1fce60a4075a213L,
        0x0e769400f5c2700L,0x170622961517712L,0x1c0a90756574e67L,
        0x0616e156ebad5efL,0x002341080990db7L,0x00727affeaf4689L } },
    /* 205 */
    { { 0x11c64440ff14c38L,0x1acfd576708f95eL,0x169c8abd8cc2696L,
        0x15055e49dd548c0L,0x0b9a1159ddc9f65L,0x142757fa7725ff7L,
        0x0ab38918f41d9d3L,0x1971197c3c01c17L,0x17ca568ead5fabdL,
        0x0c06a9262bf5cceL,0x195cb3a6fa61cefL,0x1b9ae60170bd388L,
        0x1240f54176918a1L,0x1ad8a11b2491098L,0x0d3c5abdf8c93feL,
        0x1b2f881bb4a0248L,0x02008833421a133L,0x019ea08b0843b78L },
      { 0x131a36b9878e5ecL,0x1f190a348c1193aL,0x08cf428c1191778L,
        0x0f542e6cb3a2bf3L,0x1925d4fe734c1b8L,0x11587a56104a517L,
        0x172f10f25968709L,0x000eb39207c88faL,0x092af215e052393L,
        0x1fdb6af8fac9f9aL,0x10ed2f0f376d7ffL,0x05397fbaa810cb2L,
        0x0b198d76c09d03aL,0x00793dacc7be6d3L,0x0d6333f01e4288bL,
        0x09fb974aaf50919L,0x0665922052d76c5L,0x0169ef3d523db5aL } },
    /* 206 */
    { { 0x0de746265add3b7L,0x0479ad5f9261555L,0x072b8695f64f962L,
        0x1c58edef7fa82a9L,0x1e3202b30e22e18L,0x0e878533f944755L,
        0x0b462de699ae874L,0x1d21c156e925103L,0x17d424086c7adb0L,
        0x186196294210997L,0x11dfc563e6827a1L,0x06e5d804ab130b0L,
        0x1ca5098777422a9L,0x0bb3002c5f21462L,0x1fcdf3d16de5591L,
        0x0c512d8ff8c632aL,0x0a68b7023ddd631L,0x023801ddb2d8e09L },
      { 0x19401c1c91c1c96L,0x0e6fc93d094b86cL,0x185f0f0a441ea97L,
        0x0f47fc8e2075725L,0x0ee998ee26fce8fL,0x1d20fc58684eaf2L,
        0x0941abe98881238L,0x0a56380254b44d9L,0x12c6f734c99b572L,
        0x049ebcfa897bff0L,0x0241bab3b866984L,0x07020ada3d4c5e6L,
        0x16eff35f216bff8L,0x00d6911230e3ac2L,0x083f7a1b81fa5e3L,
        0x1d0365994d942d6L,0x0e6ab4d6d2d633fL,0x039effa82583516L } },
    /* 207 */
    { { 0x1615805d8e20fb8L,0x039f2415a99f845L,0x00055aa15329f1aL,
        0x19966d2422a40beL,0x07f092b787fec6aL,0x02ff260fd1e0766L,
        0x1c4496cd991fba1L,0x0dfa8f03d0bf163L,0x0c65268398b0f1aL,
        0x175c6366e5c75c9L,0x1c3ab6397db54b3L,0x1c4791b269b8267L,
        0x1d428ac45a31883L,0x0ddfe54290a76adL,0x196b84fddf2924bL,
        0x00bf7be8227fc0fL,0x13563e4a0d272abL,0x03aa2685bb8a47aL },
      { 0x1e8d13480797aceL,0x0b55057c36cbf27L,0x1a23bd69a3f085bL,
        0x0b3f364d09b7e14L,0x0999d2fc18b26f4L,0x011caaa97f7e7d4L,
        0x0de0356be360989L,0x15f1e2468d3ec74L,0x12933454fdcd4feL,
        0x1400c5bd39dae84L,0x07c9db9554b062eL,0x0e7bfe4d763935eL,
        0x1006dd4f44c5d47L,0x0f9cdd24cf7a4a0L,0x1b293cab63c4be5L,
        0x1eb34aecfedb9ecL,0x149ba8773f17922L,0x0110040f560f216L } },
    /* 208 */
    { { 0x043d573ba37a0baL,0x018de6e8bb6fb18L,0x13f31081c3dc169L,
        0x1ccf85a21206645L,0x0bf8bcfa5cabd30L,0x03d8859b164aef6L,
        0x179935d9f49dddeL,0x01cc25922bcdd80L,0x19e669631ce69c3L,
        0x1e4eec7b417131aL,0x087c4a57ff30e09L,0x1cf31455b944f20L,
        0x044b5d500a06a8eL,0x06c06b62c70073cL,0x17c43321dd1bf1eL,
        0x0dfb048c0a77d22L,0x133844e328b219fL,0x03102a0d608de9bL },
      { 0x17fd382509e5a29L,0x06be85a19298f07L,0x0d5334e20ee61d2L,
        0x0917f762f51ee92L,0x05f2d2c5c6b8ac7L,0x058dc1d230b5330L,
        0x0996acf6598946fL,0x0b19eea62085fdcL,0x0c70d73fbdb2250L,
        0x108ea1a78616aabL,0x01876152c966cc4L,0x00db88567efb0c4L,
        0x05e86a4949ffe46L,0x0b0776d6262e42cL,0x03890801377322cL,
        0x02cac30099cceadL,0x09791f3855a4214L,0x03f9bc0cc7c995fL } },
    /* 209 */
    { { 0x0374bdadfa6639aL,0x0a46a0155b9c8cdL,0x08d91c0c78b432fL,
        0x19a0b33a3eb8bdeL,0x00d38443b49ee2bL,0x09c9746942f5b07L,
        0x14e3f6efaa4bc9aL,0x0d1228abf7f7178L,0x0ae259ff1e469b7L,
        0x0e7658fa0ef2b41L,0x1bc1c6654b46bb0L,0x0303cf7ee88d90eL,
        0x06282ad2f11ce25L,0x15d277b3e5c9d6cL,0x01ea8fa3e8f34c5L,
        0x16c11f9cd1409caL,0x0d0ced74170a61bL,0x036f38b59fb5608L },
      { 0x0e58d04172d6dc5L,0x166f331cbe32e6aL,0x1860327ad3a2fb4L,
        0x10ebf45db6f5cefL,0x091e67385627546L,0x0e4597259819275L,
        0x0a21d808ea1588dL,0x16b3bedad8551f2L,0x0ec2c185ff6f5e8L,
        0x04970959d6aba45L,0x0ed3cb552bbef1eL,0x0891dd0d1042f5dL,
        0x11b1d9bd5b14915L,0x17f806fbd1362fbL,0x16c77bb97334598L,
        0x1eee9d7933e2f72L,0x1b0909836163fe1L,0x028fc84185d9e92L } },
    /* 210 */
    { { 0x1376fa1f2922461L,0x0d8e18b286868a4L,0x10cc376182376ecL,
        0x166d71320d25723L,0x1f5600523e612c4L,0x1512a2f0cbbd85eL,
        0x0f63be2bffdc18dL,0x1759b4fa4f022e4L,0x00b0bc4bb81bde7L,
        0x058405976952bc7L,0x0834345c6cb808fL,0x119f2837735cb7bL,
        0x1bc14a65c5f6df3L,0x00ceecc742eec0eL,0x081be4dfe6320b7L,
        0x17cf18c26e8fea4L,0x1e79e13a2c25f5bL,0x02f7690c70551a5L },
      { 0x156575401d4dc0bL,0x12f93fab35d83f0L,0x0faee088975686bL,
        0x182313d8d7d30bdL,0x0cce4d9d5f3ad21L,0x1b2dac8bed28c67L,
        0x1dc732128b4fb5aL,0x0f4ff3102eb1ff4L,0x150d6ae122ac69aL,
        0x1bf9858e3734236L,0x08e9816f42ec4f2L,0x1d9bae7e480f180L,
        0x0ce5f0a9969a10fL,0x1ec7ac034628ac6L,0x1691b8749afd856L,
        0x1a6115e65d50f22L,0x054eaf74e810287L,0x0460a5d03531321L } },
    /* 211 */
    { { 0x0877895b17ee201L,0x15238c472bd3b86L,0x1d8e5e08915b016L,
        0x019387743a3387cL,0x14389ebe0be6f8cL,0x13fddb7f42fa7fdL,
        0x1b1914e2f333833L,0x0850edd5654ca4cL,0x15c9ac690cf9a38L,
        0x1ae79d8e6647cc0L,0x1ef9aa73da1f7a7L,0x01f90706b82bf42L,
        0x1b150ef2ebfcfc1L,0x04252973043587eL,0x1347ae27e5fb366L,
        0x0077482dcdf4561L,0x05ee2bd15993eccL,0x0322e052ef55d8bL },
      { 0x14c420550aa7e31L,0x06f8617c28ed2ecL,0x0424f1c9b9aabb2L,
        0x0c4c337f3532c8dL,0x0253fbd572dbdc3L,0x184f030da130707L,
        0x1b16e5f0967ee31L,0x1d3f57ef9779bb5L,0x1b4d5e8b1e4b703L,
        0x18372b7039a77eeL,0x1293e47d57e2946L,0x11747eacb91a05aL,
        0x12816d1d947f860L,0x0e73d89b4117a3eL,0x1410908330d8559L,
        0x0cfedc8ddcbde63L,0x091b2a65f706835L,0x013f4ffa0697d36L } },
    /* 212 */
    { { 0x1251893d7e952e7L,0x182c1e39adf8c3aL,0x064a5bf8124456cL,
        0x1100da5f94e656bL,0x1b885ed92745185L,0x0faaf638d5bb500L,
        0x0ea72f73a765db6L,0x0567b4c164091e5L,0x16977c086592b13L,
        0x16e54e584c828ebL,0x0aac8f4622b896dL,0x1e7fc4155e7bb38L,
        0x0f5aad74d09f469L,0x1154f59dede8fbeL,0x1c04310f57bf970L,
        0x004c118bdbf4426L,0x176ada2217b5787L,0x027f772b39ed64bL },
      { 0x0e18d52b5d3d780L,0x0dae9838b33a218L,0x01b969d0855936bL,
        0x1d1ad7770c641a7L,0x0d263dd15d8c290L,0x0c231b4c0d21919L,
        0x0b2c4cf439f2a62L,0x1fea270f09b4a33L,0x0832e3fabdddc81L,
        0x013c2ca18ccd21dL,0x12af3cc9d0c58ffL,0x017ae9f29f4eb69L,
        0x1d5694a6279fa01L,0x05b2bd1261453a1L,0x1a897ab074aa223L,
        0x0c3fefdde4a07d0L,0x00eed11a5d304c5L,0x027f40c73ce4f6fL } },
    /* 213 */
    { { 0x0252c9d7fc1c7ffL,0x0a0cecfd44d6880L,0x09290193a732a6fL,
        0x1087285d9992742L,0x0749695b384cbcbL,0x08b2df802610fecL,
        0x04409a720767d08L,0x09bc464ac51bbc0L,0x1ec9374575a9b00L,
        0x199a35ffb6e7e10L,0x16992d34dcb1f7eL,0x15a7e40929c5589L,
        0x15e867c150cecb7L,0x015b91ec2b1620dL,0x194c8c4a64e573bL,
        0x0cb2f9235bf8afdL,0x1fce06f1161f10bL,0x040c8aa94dba69fL },
      { 0x0c124316ed9d4eeL,0x1d0aa344d7f80c7L,0x127caa268fd0f7fL,
        0x05a8cfdf6495746L,0x039102e22db1e8eL,0x1784158c6f51aa0L,
        0x1751d08aae14f94L,0x1dce2614583da6dL,0x1ca60e86d0295d1L,
        0x15634043e3fad69L,0x0f3b3f7a1919639L,0x18428c3a24ca1f0L,
        0x10bd38509972e66L,0x13319144ff77a0aL,0x0b71e543c60fceaL,
        0x0ee044ea8a97cf2L,0x0f32744c11b1136L,0x03e835e63f47537L } },
    /* 214 */
    { { 0x12859427090212fL,0x1bea62a90f42244L,0x108af8b6ee49a46L,
        0x1b7b03f10098070L,0x0c89bc36317721eL,0x078026e09b65f75L,
        0x02ae13dc6d82deeL,0x09a4d2265a09c43L,0x1b0e2496ee6cc81L,
        0x196718bbafd6e0aL,0x0f02119b488f142L,0x154c98c25f1705cL,
        0x0ba4b653559721cL,0x03e9ece8acd3a8fL,0x0350918d0ceab57L,
        0x079543cc373a5d0L,0x192149f655ffc67L,0x0245a95cce87ce5L },
      { 0x1915399efdc05beL,0x06d8c09f04af4d1L,0x0ba7376cff6b79cL,
        0x04340128a288f0cL,0x03920ea3a2b0316L,0x1dc7f5a593cc061L,
        0x05b52b14e53c688L,0x1342c7ee4ac7cacL,0x0aa0ff93fb71421L,
        0x137cb6949eb123aL,0x04baa1f73f89db4L,0x1e5e8e071a2bba4L,
        0x05f418168eab27bL,0x19954c4d72c6419L,0x127c4ef8dc1088aL,
        0x1095b46d287217fL,0x0ecf16e26060d06L,0x00be06f43cec63bL } },
    /* 215 */
    { { 0x0a5f453dcc01958L,0x02caa0e7441c9deL,0x0285587d6db5f65L,
        0x0cfc5a6d78bcc6aL,0x05ac3a6c291c3c8L,0x000366fb63f6c25L,
        0x1b0ede44f102f66L,0x153ef17610eace3L,0x11c928f6eb43e89L,
        0x0f946f9d70f50f6L,0x0e96c6e492cad7fL,0x0e0a3422dc0ac57L,
        0x17167ed3e3491d2L,0x0de058230476015L,0x175fd678a473dedL,
        0x1336e61ca02d318L,0x1d70c7c350df5c7L,0x034315cf1056370L },
      { 0x0c6f4e79ffa1f64L,0x1548d50f121a4abL,0x183336dd48cbfb5L,
        0x0e0645ac0fd341dL,0x062fef87bfc90b3L,0x1fe79a14a405692L,
        0x18e3ff08525a70aL,0x138dca423c14a73L,0x02a59ec2612a514L,
        0x0aff1096b835a99L,0x1ec423a67210a46L,0x1d46bb900905eefL,
        0x0bbd92d29874ceaL,0x15750af752d3018L,0x01c4272b50b7296L,
        0x1ec93ad58778e93L,0x06cc64e1c40290aL,0x02849fd16a8fc6fL } },
    /* 216 */
    { { 0x0cf32804c2d553bL,0x15f111dcb3614e2L,0x12708a5a452b706L,
        0x0b3332ed92aad4aL,0x176e83f3d8c9f8bL,0x02f62be1162bdebL,
        0x187d53ca50aadf2L,0x091de680fcadc58L,0x1f005e8caf213dbL,
        0x186429ef9934c63L,0x12235f2b02952d1L,0x17dac16ea03dcdeL,
        0x06714a4bd9b6bd6L,0x1704c44a7808188L,0x1e4a8014a16f0edL,
        0x1e495d80ce835ebL,0x03832f16426ef7eL,0x0097ce226b63bd2L },
      { 0x151e96483313a1cL,0x0e9ed19e2c59b8cL,0x1d4b1eb1011263bL,
        0x0e1b96bdd09db77L,0x0dd422f8866ca6fL,0x10f6177605747abL,
        0x148f041def15019L,0x07cda732275a844L,0x1d105e1e858e7cbL,
        0x1e49cbfe4bcdda2L,0x0752a4265ed6491L,0x1147d12a5fce644L,
        0x074e9462410ef62L,0x0cbc07a06846ac1L,0x18443b1932fb43dL,
        0x1634627af844e11L,0x118d186d8667679L,0x0017baf2713570eL } },
    /* 217 */
    { { 0x1637ebf47f307d7L,0x02535680a0a3b8dL,0x1594b816a031ad9L,
        0x07fda0f66305467L,0x1696e597c8f1a0fL,0x1fe00f604f73fc9L,
        0x1cee736a9fb0f1fL,0x112a93f11fdf1e6L,0x1c88d1961c3bb89L,
        0x09527f4efe553dbL,0x1e7b88eb92ac836L,0x0c83ebd9634a25fL,
        0x1fe32fb47df5aeaL,0x12e842e073b491bL,0x11d568a5a971080L,
        0x12e47b9224ab04dL,0x141580b985f9bceL,0x03958dab331cb0cL },
      { 0x1708a08790e5558L,0x1b0208344d7c04eL,0x0e2908c4ed7e614L,
        0x04ab493a35d0bcfL,0x0c371b0be6ba129L,0x07370caf3b62585L,
        0x0688561413ce64eL,0x19d1ba82844c15dL,0x1d8b04e9b968485L,
        0x0a625d2c43f7f21L,0x1a399fc47179cfeL,0x1c519ed73388224L,
        0x087a0a966292623L,0x06501769f968555L,0x18ed546c999dca9L,
        0x16b6ad1dd1c9c5aL,0x1adcdebb2992e78L,0x02ef8c90b70b912L } },
    /* 218 */
    { { 0x0027e1e8df2e7e3L,0x1e6346c6d03ef10L,0x09a52d2b9a52c60L,
        0x1e794c5d119c6b7L,0x12efed2c896d97dL,0x1e84279ef2389daL,
        0x048ef401b10389aL,0x1603d36e377f903L,0x09991c7b61aacc6L,
        0x08649b247b2b420L,0x1587461fd1d4919L,0x16237ffa7944270L,
        0x0ffa191418610f2L,0x0aaf2984cb48afdL,0x01cb5e63c48db7aL,
        0x14916c2797dd543L,0x0327f7b44ea66a2L,0x0229132e170544eL },
      { 0x0d5ec7925430010L,0x1c37ff5e8486025L,0x13fc82a74fd72b1L,
        0x0547db8cbf4bf3eL,0x0cf3eb11fcbf411L,0x12db80441241ce0L,
        0x02ae2e375b53a2aL,0x01dc44e3bfb6eadL,0x0e43ec373b74456L,
        0x0757c930e7ba94bL,0x06b838fea5b66deL,0x1a5bb84bbfaa301L,
        0x146bab77110b312L,0x1af678f235c7bc5L,0x07fb2a81a7bf236L,
        0x17bc3832a575cc1L,0x15543e302ed5f4dL,0x00a5815fc8f03c2L } },
    /* 219 */
    { { 0x071c768b87e5b57L,0x03c7bfa98d2ab96L,0x1e2fdd65f7202f3L,
        0x1a273c2ebe9ff27L,0x0b94ca6cb28e026L,0x1cfbfe35c1db93eL,
        0x145c0babf8ec801L,0x0d85594a9bd9e77L,0x017c4133c6af0dcL,
        0x150f332e67af1afL,0x046920d154171afL,0x17a1cc2017134cdL,
        0x06c17d03882633aL,0x0d067c864b36338L,0x0b75931ebbffef8L,
        0x1548c9b08f7cfa1L,0x0a5d49bcdfbaea2L,0x042f03f3a1663e8L },
      { 0x1aae0a60bc25bcaL,0x12af8f227b27611L,0x1b62d81eddcdba3L,
        0x0da600b213c3cd2L,0x0cbc4990aa90a74L,0x0717ae83958e669L,
        0x03b24343f9b1b1aL,0x183241d8be0a7c5L,0x179b21fb4f0040cL,
        0x19bade9fe625163L,0x177be786eb1f769L,0x1af26b81f1a7ebeL,
        0x102cacd318dc315L,0x14937b8e388be0bL,0x00bce69bca08f13L,
        0x1264671b6b177daL,0x030e5b492317db6L,0x004b201cfc6a4faL } },
    /* 220 */
    { { 0x1774f1656999ebaL,0x17143d8ef318290L,0x1c9b782c99a4f63L,
        0x127f128543b035eL,0x0a03e13c3744693L,0x1139e7de7b5b0afL,
        0x1715b4c3030d653L,0x1449fa674ad8ce4L,0x1a57534ada8be97L,
        0x0c921533e115128L,0x06f6d674317125eL,0x0d998d484ed09caL,
        0x0cd426bf59d7cd7L,0x1374df5948a04bdL,0x05b8fa5650128b1L,
        0x0cda08e71fd30b9L,0x056bcbb3e0eaad6L,0x0313587e931de2fL },
      { 0x1217dbae1a1ec42L,0x173edd5ad662823L,0x0c7a194cc746a9aL,
        0x007a6024df6fc35L,0x1ee61851b845307L,0x144aa2140324f06L,
        0x1d8ca201bd28fa9L,0x09e977c875b96adL,0x0036b9bdabcaff9L,
        0x0ca0f32de831bdfL,0x1e7511a1bceaec3L,0x025955ad5fad042L,
        0x1eff7e153414869L,0x15c37ecb4d1dc48L,0x1e4a30e23109b3bL,
        0x13c016adcd50222L,0x0c1933e71359639L,0x004ddeeecd0bdb5L } },
    /* 221 */
    { { 0x1e39c1de4fd3673L,0x06ce8d32e4703baL,0x0771ca271ffbe20L,
        0x1c6a53a4008e4b8L,0x1c747af35b6735eL,0x177efae0fc79769L,
        0x070e573ce663e44L,0x0bbdae44c30930bL,0x123793a2f0e6979L,
        0x1355c6b4358e953L,0x0057788aa20b922L,0x0df9f3b71afc019L,
        0x1202267547be77dL,0x04e0876e04437d9L,0x00fb532d89a1f51L,
        0x0cdd53e387c2ef9L,0x124e6d5d7f05af3L,0x0175500dc68f7d6L },
      { 0x047fb701f357c74L,0x02e2554f1dbca2fL,0x1ccdba16a4164c2L,
        0x1f7c0489929e130L,0x03b5660df53808fL,0x1caf6b48eeefc9dL,
        0x083522dd8ddefceL,0x1e72372236f7672L,0x07ccf08bf86a13cL,
        0x1f6c7cbf500c72cL,0x090d0de31546514L,0x1bd3c1a5ab4d63dL,
        0x0f9b96259a8e6adL,0x1778beeefe15924L,0x1fe72165baf3abbL,
        0x17751ed296886aaL,0x06b48cd150f07d5L,0x001698ef4da60ccL } },
    /* 222 */
    { { 0x0bb9e1ede79499dL,0x147fc7e87e156d3L,0x03a069f64d5bdb2L,
        0x1fd1e0c64f7d81fL,0x1b300bebbc3d1c9L,0x1e0c0dc02e390b9L,
        0x074040108282104L,0x1ad3d342cfde195L,0x0076c909d1aeeddL,
        0x050ccbfc71d4539L,0x1fde9e9ded0a799L,0x17e8b929a7d279cL,
        0x07e6d48407aac0fL,0x148c90f3f9bb4a5L,0x076ef5bd599e78aL,
        0x1f533e47fc1e7dcL,0x165c7917566cbf9L,0x04b2c3079707a6bL },
      { 0x134702b7fa5f79cL,0x1ea132d796936f3L,0x0e61b1cf833a4c2L,
        0x1a9dc8945a8b7b1L,0x156c8a1a7dbe7beL,0x06fc076094f0124L,
        0x0966dbf7016b1dfL,0x15ee14d7456b139L,0x0fc484021999825L,
        0x09425aa3d11f85bL,0x084290a282a2bc7L,0x16625655edb163bL,
        0x1a33935ee3b1eb1L,0x077fd3767828a21L,0x1899531e81fac9aL,
        0x1dc982ddc810dacL,0x0527a7bc5014549L,0x0328408190fd4c5L } },
    /* 223 */
    { { 0x1f0e460b67ed9b2L,0x107e861b6c9e924L,0x0fa6231d7870336L,
        0x06c297819376b2cL,0x1a768605757bbe9L,0x16e2a24d4dc400cL,
        0x16616a2df8abd23L,0x0993cefdb3d6a34L,0x0dd025274ebbf02L,
        0x0c5b1440aa2e31bL,0x16bb4120036e816L,0x027303c54474737L,
        0x1c550cb4f27fc20L,0x1a903463ee337eaL,0x1a7e856b49c0cbeL,
        0x151459341795d02L,0x12f60606f213a7cL,0x04c14a8234c3132L },
      { 0x03746002e11c128L,0x1d72e8736e53f1fL,0x1b8b65548992037L,
        0x051016e287c8802L,0x126b881cf65f88fL,0x1c357f651e946a2L,
        0x1e563e71677477eL,0x09ea910c18498e9L,0x0d06ea43c9cb69fL,
        0x1a1e4d7399a7676L,0x0b3358d4ca5c4d4L,0x0806be74d818b98L,
        0x0cb372653ba95ffL,0x1128291e9700d0eL,0x089fac8c5443f7eL,
        0x19a21ddca71c54cL,0x14beadfc8a0ca23L,0x025bf370d9f3c7aL } },
    /* 224 */
    { { 0x1c9076fdb5f928bL,0x085db5b9a3e763cL,0x1e62b003b107989L,
        0x153b2c338ea96ceL,0x19e4343f900d20bL,0x0c9aebf6a160682L,
        0x00738f7ce7a1514L,0x1584c722304c9eeL,0x0ce8f2554e1f87aL,
        0x0eeb3c4b2fc8d55L,0x1458fe8c914e7ffL,0x1e589759d32b2d9L,
        0x0aa94f9ea55c815L,0x1792722aebc6461L,0x17709a9eacabfd3L,
        0x05045e1dac81239L,0x058954a420b00caL,0x00308e262e994bbL },
      { 0x192001ca9e81829L,0x199900451416678L,0x17863e77b66f7b4L,
        0x1b6f11200617fafL,0x1577a5dd6793ac0L,0x169e15dd806c8e9L,
        0x0405385e88e9e00L,0x00fff2bf119f6a9L,0x17cd1bf4bc71b6eL,
        0x11d925011ac4645L,0x0cd6e2904481d8bL,0x00bd880ada6136aL,
        0x0ce916a1b52481cL,0x0280bcfa2ae3a08L,0x1344822ef80c9c6L,
        0x1fca02bcd82ef67L,0x166509a24c090cbL,0x04103ca948e0842L } },
    /* 225 */
    { { 0x12d3cff1c7d353eL,0x1f666bef0671daeL,0x1d7db2a1d8d7579L,
        0x004bf35a7d69620L,0x005cb5aeda8404eL,0x1910d0b5cb1f449L,
        0x0b292797b836027L,0x069ac990bb3d483L,0x06a46c4e934442aL,
        0x037fcbf1e7b2ad2L,0x19707b9505f5f2bL,0x1353dd7f3898ecaL,
        0x1988da638868100L,0x1b5a39634adb0e9L,0x1fc45c5900ad1abL,
        0x00bc63fbca2ca16L,0x0a794f8f273be0cL,0x03a43d81b5441a2L },
      { 0x060e5759c3e2370L,0x0c0c9fc02438cd4L,0x1cf29b8be6a8675L,
        0x12c288e336741b7L,0x1effec21b6c7e95L,0x08675fd4824e3a6L,
        0x178562e8192c8fdL,0x1e5625045809343L,0x0b654b7d9b1d527L,
        0x03842ce87fe8218L,0x1d299d3c1511af1L,0x0a37475bb32a6f8L,
        0x0be33533b5e5532L,0x13f20ce7251f6b6L,0x146e5e4bcbd1340L,
        0x14d3e5b09dd054bL,0x1ddcc76b123db6fL,0x041a7c2e290fd1dL } },
    /* 226 */
    { { 0x09347c12ce9b31aL,0x029157f1fd9db99L,0x0d354bfe43f4762L,
        0x0c5634103a979dfL,0x0a411f0853b1738L,0x0db01d29c608dd1L,
        0x15d05e256e4f050L,0x10c532773556217L,0x1ccbbd046099129L,
        0x14fd7d8775055d2L,0x111888d598625d9L,0x11386cfff4a9a90L,
        0x1d1c3478da4a63bL,0x15301a7be5d6ae8L,0x06c4e4714ce489eL,
        0x1ea2a1cdae0bfccL,0x14cdd14b660f74fL,0x031cec58529995aL },
      { 0x0423162162217cdL,0x12515408e14737dL,0x186085d9b700b83L,
        0x1208d40dded1b39L,0x1de921015126373L,0x014c69a2775118eL,
        0x15fa4181f23c845L,0x1c24fe4e574c7b2L,0x1e7ce80cca5e8caL,
        0x00b75f1127bd31fL,0x13969e259cf8d16L,0x1444a6d757a89bdL,
        0x0ee3bf77af13756L,0x15e7cc5e3226b0dL,0x1ea58b182cafdb8L,
        0x000467616b3e653L,0x02cb0769a1aabb5L,0x02048189b063aa0L } },
    /* 227 */
    { { 0x0d2873a1670433fL,0x0a6fb12a49efe42L,0x066a03f3e27b24eL,
        0x01b652ec2dd60b4L,0x19e63046e39e431L,0x14e54f283a16e4eL,
        0x07437cc6b632077L,0x1a30d557f29f6f6L,0x036cda27a1b3c82L,
        0x18d177a1cb816c2L,0x0ff77118204a67eL,0x091ba472c470501L,
        0x137b3c9353e4b2bL,0x097dc53496d9617L,0x06011d356d6cc5cL,
        0x04af1f370f47610L,0x1c8d85909861e95L,0x040334776f9bd15L },
      { 0x0edcd35b39a0249L,0x1866a597c575771L,0x1791c88f7c16bc8L,
        0x15c1d26fe852b62L,0x0cbc9162bb66982L,0x04ee5080ce95b94L,
        0x01ed17144aba73dL,0x1d22369234ec61eL,0x148d4f34ca03874L,
        0x0fe87532265ba19L,0x1e6b87e56cc30f0L,0x1a9bdb16c15827eL,
        0x1f61ead81c40362L,0x04c61e944f418a7L,0x1485c0bb5803751L,
        0x03e66bf96383384L,0x0e9592329fc3a9cL,0x00233baa40def36L } },
    /* 228 */
    { { 0x03de56e39233c96L,0x0204e4039bf57f7L,0x06f4806af1a21a3L,
        0x165690c40b595c2L,0x0f19056c0f2cea9L,0x0e1520f191c3f0bL,
        0x0fa1ba9d4d96a97L,0x09aed8535982569L,0x0a01fcab78d6329L,
        0x0edf4458655cf92L,0x11b96fd05301520L,0x1127972d6f54eccL,
        0x117664e097fe111L,0x09fe7ad4db24fadL,0x1ffd8d2865908b9L,
        0x1312ab2f1937a16L,0x056b5feb38e3c22L,0x001c524fd8419e2L },
      { 0x1e3818c13e93257L,0x15e4ed3093a0d9aL,0x0925f2ab01ac533L,
        0x067b54222c9edd2L,0x0de2034a82278e3L,0x0dd31873e62b2f2L,
        0x1bef6edf7257c28L,0x1ad03bb3e46cd2aL,0x1c63e6319bb132dL,
        0x11158117e12099bL,0x12064dfa2fac71bL,0x129bb1927158470L,
        0x0aa6bb564483b19L,0x037c8c03daa67d6L,0x1e367cc69f35138L,
        0x151cc3ba8737751L,0x060660c2a787f74L,0x025dbb711090dabL } },
    /* 229 */
    { { 0x0151e8ae6354817L,0x04a75781c5a1c3dL,0x1a2216562618cf5L,
        0x0e3b975824990d8L,0x00edad067215382L,0x0072eb7a43d7c66L,
        0x1fd56b4cc147f94L,0x1aa14e23637adc8L,0x0a68709a78c746aL,
        0x1f8b931320179afL,0x023bebecc304c09L,0x008380d8e92f8daL,
        0x0edcc3e2da9ef1cL,0x04970839e863a76L,0x084add0c317e5b8L,
        0x1d6041e27279e55L,0x18b245840162107L,0x04421e92fbdbb7cL },
      { 0x01501dcedb2a83eL,0x147d815dc6b9227L,0x196764977d8af3fL,
        0x1e8556df8612040L,0x00f09dfd3c715dcL,0x0c857539e0282adL,
        0x1d278499d17638dL,0x0c6a705e9b0edfeL,0x0fc69feefa920c6L,
        0x10b0108cfeb88e5L,0x070ef641d713577L,0x17a27bdad7e4843L,
        0x0b6263a1163800cL,0x1e93261bc63f507L,0x1672630d6f5e561L,
        0x0e76aadc45c8ae2L,0x14971bf2a2dfa73L,0x00281fc9cc49ae4L } },
    /* 230 */
    { { 0x1addc6671dad4f6L,0x124448125f50db2L,0x038bd8174f748e3L,
        0x1d61b2d713f6ed9L,0x0601b2cb13d5f5dL,0x11e92a705add1abL,
        0x03a9f8df524760fL,0x175d10c08464819L,0x1374182f3e91c99L,
        0x161657cd43d6c8cL,0x0c102bd5d3ca549L,0x1da328800146962L,
        0x1e06df42e75b9bcL,0x05e8844ea6662bdL,0x16ed4008ba3b141L,
        0x1d5b618a62ef5bbL,0x0f9690d31d29ecfL,0x039abbc7f0bb334L },
      { 0x186ee3e843c1137L,0x0217d1f85b9e687L,0x1e762ac838e8f07L,
        0x082c485f5c1ceacL,0x19b092e46f95f1fL,0x11b5603dc4708e1L,
        0x00b9858a500f930L,0x064cc20be825b58L,0x174dc28a7862e06L,
        0x08c7fd979d91e46L,0x0905f01d17fefc8L,0x1408980ae23c230L,
        0x14cefbe4de49b55L,0x0bdfb88396332dbL,0x13c19d873130076L,
        0x1a1f165940db58aL,0x0a1fc599daa7450L,0x029731bd30d18c1L } },
    /* 231 */
    { { 0x01700f16bebc6dbL,0x1a2edfca81ec924L,0x14f17454e46529aL,
        0x0bcb5a55798e2b9L,0x0b7b466f942a1c0L,0x09c8c59b541219dL,
        0x19b3ae904efb6e8L,0x194d314ac4921e9L,0x1bb720da6f3f1f3L,
        0x08b6a0eb1a38d59L,0x14889cc0f4d8248L,0x18008c774d3dc01L,
        0x0d62845fd17fd4cL,0x0056e4e3d6304f2L,0x1ebef298d80ecb2L,
        0x129577e2df9348bL,0x09841007f7fc4bcL,0x03e48b5a7d3a58bL },
      { 0x1026f9178bac2d4L,0x1404c1300d43ae0L,0x1db801cf590228bL,
        0x09f983f7115a5e4L,0x0a6b291f443610cL,0x16307e2b93dc116L,
        0x1522c19154cb223L,0x006a3c91133db35L,0x1841b48b5f543f1L,
        0x16658df6ac8e775L,0x0b7c3e773d6a2e9L,0x0041668fbb69f89L,
        0x02cb44c5213a7caL,0x0293e062550d666L,0x08f3d41dceda0a0L,
        0x1924d546e9820e0L,0x07c733d10006b74L,0x00ff9c8b7bbd468L } },
    /* 232 */
    { { 0x0218fe4f997939dL,0x0fdddbc8ac1d9d5L,0x176a1fdd582cf53L,
        0x02bb525931674f6L,0x06666f4aa9c0280L,0x074eebf0f5a556aL,
        0x0c1d8bac5e94453L,0x0dde8d4cd49df1eL,0x1900b45c6810e54L,
        0x1d7912c25d7826eL,0x0721c9721350bfdL,0x044b1c9907bc798L,
        0x01170d88b23093fL,0x1603b722317d6f2L,0x174506f86584b92L,
        0x069b5e91ae68c65L,0x0c9c1b1f759925eL,0x00cf68d2b0395c8L },
      { 0x0f7fcde6c735473L,0x04733b001de1f4eL,0x12f3ec666ee2aaeL,
        0x033599997a2430fL,0x10f65459bb73044L,0x09314110a57f9e5L,
        0x082e1abb2068dbeL,0x121550596653f3aL,0x182f3f90f5773ccL,
        0x17b0735fb112bf0L,0x0d12fef51d8b7d2L,0x0253b72e0ea7e31L,
        0x097c22c18e3948bL,0x0bdf4bd6e374907L,0x0d8dfe4e4f58821L,
        0x1a3abd1ae70588dL,0x199f6625ccbf1feL,0x03798f07cb4340aL } },
    /* 233 */
    { { 0x05afe5582b8f204L,0x020db69ac5aa562L,0x1efeb357d7b6b01L,
        0x1627379b26e427cL,0x16dbcbb01914c70L,0x09ae90b8a5a2c0cL,
        0x07c83a4a5f4d47bL,0x00b1ec8106ed47cL,0x1150a8a9d2f3cd7L,
        0x19b7400ee6ecfb6L,0x13ad9573d5b60beL,0x00192554b442b4aL,
        0x023b089f0376105L,0x0215b3746886857L,0x1ba3521246c81e7L,
        0x0de8a95e35c7a1dL,0x1e6137e4c284155L,0x043af198431ec53L },
      { 0x080fddcaf6c0accL,0x08f335d8f3e046eL,0x0b860a1616b756bL,
        0x004eb8fb4db8e2fL,0x126b9e15bdc5434L,0x02fd287a5a64296L,
        0x12cc97c287efda8L,0x03b8df03c8f02f7L,0x02cbd432870ff2eL,
        0x112480b33e3fbfeL,0x16b2ded6169b122L,0x15a88ccd80afa08L,
        0x0fe6d7d63d2e972L,0x0713a0a263a6c3eL,0x09612bbdc19f61cL,
        0x1fbd765942af516L,0x009495c5bfb75f0L,0x02d5d82c0f9c370L } },
    /* 234 */
    { { 0x1e62d2bf0c97f57L,0x02438cb179463c5L,0x119d1ed42aec3f8L,
        0x0689f413db8a914L,0x0b05a96ef6b26e0L,0x1357417ea26371dL,
        0x02677b6c00cb1c3L,0x184517a8057afc9L,0x043f2e9639b7c11L,
        0x161fe0767489b8bL,0x0e2f240bf43e303L,0x0754f9578758ed3L,
        0x1206924cc99d9cbL,0x0130480a7445444L,0x0b9e782945186a9L,
        0x07d018fe955172cL,0x0bc4ef0210a8b1bL,0x0382a23400dff72L },
      { 0x0b3d713121901c1L,0x11313ff56aa557dL,0x0a16f022e88fa42L,
        0x0a6dd844fcc9edaL,0x06c191ab8d99301L,0x04e7164cd0b55c8L,
        0x0ea021ac73d6fd9L,0x1e0b240ceb2cd7cL,0x018836279ccba2cL,
        0x00abdc3f7fa9a43L,0x1262592c88ebc8bL,0x09e0155cf4af7f5L,
        0x0063218a80cd0fdL,0x0fc478a76d6edcaL,0x07b67f4e112ede7L,
        0x0a06d8367c7a96eL,0x06b6c634a13d620L,0x037ab5767dc3405L } },
    /* 235 */
    { { 0x01dc803d9205c5dL,0x0afbeb3891c94d8L,0x1ff6766d9595a25L,
        0x1da76359fc7bd77L,0x0094eeffb844395L,0x0c8ff582194590bL,
        0x141d598c7fea08aL,0x00a1bbccdcc321bL,0x175b03c55e8577cL,
        0x048e72fc8b91203L,0x0229023aece8fdbL,0x1f140b14272d345L,
        0x179a6e06761d376L,0x1db8e94479d2ca2L,0x130c30040c0a715L,
        0x017381087e85168L,0x0add8e6aff8730eL,0x03db5f408a76b22L },
      { 0x0c38e4a3d3aa54eL,0x19ca1ec1ea84d1fL,0x188490e55788408L,
        0x0fea3a7a89f0954L,0x1eca4e372910471L,0x1d2aef316922163L,
        0x086d6316948f617L,0x0d18deb99b50a3bL,0x0044bcaa8200014L,
        0x1a80f34700b8170L,0x064d679a82b3b3dL,0x0d5b581de165e10L,
        0x08fd964f0133ddaL,0x0985c86c4bd776eL,0x1048bad236b3439L,
        0x143bc98bf5adf70L,0x0742284ec1ed700L,0x0437cd41aede52aL } },
    /* 236 */
    { { 0x01d9055450cc69fL,0x18a5e64f6fcc787L,0x19dfb9fae80543aL,
        0x0f331f1ca637729L,0x1b16eef05f7a673L,0x0e2f0aac41c2718L,
        0x14aaaee4a1c8f61L,0x0e9fca3c68b97b2L,0x0c5d0ee287e2416L,
        0x0e0a3778800c178L,0x0e7a4b9fd6f8b3fL,0x075f6cad7a7c1eeL,
        0x1e5168e289501abL,0x1c77082558aa96eL,0x0c111d65037f8c6L,
        0x1522685246c0788L,0x1869306f114c460L,0x02dfd4fd781da8fL },
      { 0x023f52c107b258eL,0x1415deb31a0ee15L,0x1b6208f3fc6a627L,
        0x08e336923ea9479L,0x0433dfb8f45b779L,0x09287744c6110c1L,
        0x1d9543e77647312L,0x08aa185455c9f42L,0x1f7aa1ce42c327fL,
        0x1d0ad6b2c1d8f20L,0x03569686feb6784L,0x14511c3f7b9b354L,
        0x16915f7f879b1caL,0x03f40d0f57c941dL,0x0034a5b04393832L,
        0x0b7b009fb94ac21L,0x0da6acc96161275L,0x00d8933554147f7L } },
    /* 237 */
    { { 0x0bc0a00774ee49cL,0x1b42965b11beba7L,0x12b177e4e28dddbL,
        0x116df7f77bf80a8L,0x145f2eaec3388ecL,0x16749bc25645e6bL,
        0x1e84ea7159826c7L,0x0e2cadf6d58fbd1L,0x15f8ded74a532b8L,
        0x186a145d5444f84L,0x09fca042debb0aaL,0x1c3dfdd96698876L,
        0x0b9e89c2db26426L,0x1c90884822218dbL,0x1604162ab12f174L,
        0x1ec1d24dee6d09fL,0x023452fa691471eL,0x019a8bfed90c6bdL },
      { 0x1c33f46593c4a36L,0x0eb8c1b58d4f754L,0x107509defbb2b1aL,
        0x1cfc9e2f38ab441L,0x146d88a23e8ca24L,0x03817c2b9b99b4eL,
        0x155d1c73ac731ccL,0x18516309b2e6bddL,0x17f4517a20704ceL,
        0x1894e8c6b831529L,0x115c6ec75df871fL,0x061306a1b1640f4L,
        0x1f61fab8ef774acL,0x1aeec00d93d948cL,0x0d1647e9f13304eL,
        0x12567cfcc4ab628L,0x149349937b85a35L,0x018fd631e9863baL } },
    /* 238 */
    { { 0x0e8cf1b04913fb6L,0x009a80bb4d35997L,0x0dc5e0f987c1f90L,
        0x13c4fe5ffcf21d7L,0x0daf89bf1e5107fL,0x06f3468925d33ffL,
        0x0afb86248038796L,0x1552c4e6546dbebL,0x072cc37cfacbeb4L,
        0x062fd4b749e2d3bL,0x08c5f3798ce4eecL,0x1ccf06165ad8985L,
        0x041be5b96a97f65L,0x19867336a57e1a8L,0x103613c2fd02981L,
        0x0d6112d4374f326L,0x1f53ee182540762L,0x000ed9aedbd5865L },
      { 0x00fbc2dac0efee2L,0x175e6eb8edda2b7L,0x18f866da6afa101L,
        0x026fc03045ce57bL,0x11458b4c49cb7e6L,0x1e2eb1e5dc600e0L,
        0x19dd9082d211da1L,0x030308fbf428a98L,0x0bede911dd1839dL,
        0x1cee4e493c6f823L,0x0f58ae2068cdb06L,0x10f327cef5b8529L,
        0x0543ce3ba77f096L,0x1bb2777e3d64833L,0x111973c521a57f5L,
        0x19b63c1841e1735L,0x01d636e8d28a6e2L,0x03db5d4c66baa9aL } },
    /* 239 */
    { { 0x11d9e03c1881ab4L,0x12eaad98b464465L,0x151ca08d9338670L,
        0x01e2c35449505a7L,0x01ebb2c99599439L,0x163d3abc1c5e007L,
        0x0882a3f577f32f7L,0x0909ba407849feeL,0x15ec173b30efeffL,
        0x0f8e9598b21459aL,0x0f679415ba04fe6L,0x0575816633e380dL,
        0x04fd223b1592917L,0x0c6848f6b57071cL,0x151923af404167aL,
        0x1cf30d662d1c94cL,0x1082211447f3375L,0x023f4080cb8f5a2L },
      { 0x045d45abc8c290dL,0x089aac087d99d38L,0x02491beefcbe8cfL,
        0x1670b8f9b2575e0L,0x0161985cacff3f1L,0x0443a462d8a8767L,
        0x173231bb829fcaaL,0x0873b11191cbd11L,0x04dd735f2ccb864L,
        0x00f09db9e207b79L,0x0897ffcffb5a473L,0x162e4afdcb8ff87L,
        0x13f32db1354cb43L,0x016ff969d532a7cL,0x1298e5113d63428L,
        0x0cd2ef1c7e31151L,0x07b39646ccef3e8L,0x03c2d8c81706e74L } },
    /* 240 */
    { { 0x0ce2361a92f9a20L,0x0e543ceb22a077eL,0x0a1474035f16defL,
        0x185d2f924da8e73L,0x18da6a8b067ac8dL,0x028db495751fff3L,
        0x05069a0a2fd518fL,0x020ede388f2e2aaL,0x0f4bcbef63977d8L,
        0x0de24a4aa0de73dL,0x1d019b45c10695dL,0x0b7b0eeabd5fc03L,
        0x1d59e7ae80d282dL,0x1c1559b7b71083eL,0x14758d2a95b8598L,
        0x1b088cbdd1ded73L,0x02799a2160ace4eL,0x032abe1b3dbb896L },
      { 0x01b0268d75b6e52L,0x09b2008c68744abL,0x0cc1a8bac6bac20L,
        0x0cda1211299fea6L,0x15fc1d484e46222L,0x118316dd9a8913dL,
        0x0b7164d97a81d5eL,0x10e995946f7acdcL,0x1220d7d23b90958L,
        0x007e9c9c62239dfL,0x1cdc299e1f693e7L,0x1799a0afe9715bfL,
        0x0c1173f33aef0aeL,0x092d135a102f3a2L,0x0beeff6e347c296L,
        0x1a509526c9e92e4L,0x0b4c891ae778227L,0x00ae20682507045L } },
    /* 241 */
    { { 0x1af169a2a0e18d1L,0x0e00ba60193e14dL,0x08fdef098b3a65cL,
        0x1b031fe6f3b0346L,0x0cd3c3302099db8L,0x0d02a9b31fb31eaL,
        0x091c3bd4c970c04L,0x0e139ae17b9f301L,0x1e64452d11c9ed0L,
        0x1dfa1fa5633b709L,0x1b029aba170a96bL,0x0aa08e0921892f7L,
        0x07491e6ba92faaeL,0x157d4c8a055cbd4L,0x1c9955d0157d4deL,
        0x1ad7ff92b5b766cL,0x037646343b9d119L,0x03c474a504e9a0fL },
      { 0x13a6fe59c53461aL,0x044bf0471db7682L,0x0bcc1da364e5d7bL,
        0x0d98427a9f51ebaL,0x05b0147c9bd6bffL,0x1dc0b4ac863da08L,
        0x1e3a4828d8a2df1L,0x11f8cd410dcb79cL,0x13dd4d2824dec1dL,
        0x08567a260cee674L,0x0b61d7610d69fa2L,0x0f83d4c70364cc6L,
        0x17f0dcc12859016L,0x037c6a31d912cbcL,0x17be8e646984ad1L,
        0x0cf108430baf182L,0x093df55ec37119fL,0x048d8ce633c06f5L } },
    /* 242 */
    { { 0x1f2709dcb5d8b80L,0x0b0c17e1ab30775L,0x0644157be5a40eeL,
        0x1bc8f8868570e7bL,0x154f8867d1ea4b4L,0x06bbf7e625c9226L,
        0x1d58e4ec68b2bf6L,0x0ac0d1a49cfd183L,0x15f5fabb6499730L,
        0x192462802a11ba7L,0x178ad4fce3a44e0L,0x11d6f76d017d86dL,
        0x17d8f313b5ed07eL,0x17e969c94b2409eL,0x1228c69eeda81a6L,
        0x1864b80db091c10L,0x1af6867fb2fe4f0L,0x01e15d41a0339a1L },
      { 0x162d7759d3ad63bL,0x055cbacf0758fd5L,0x098ce217845cfe7L,
        0x1dc4165f3ce0665L,0x09eca947f22cafcL,0x146c46da94dd3f2L,
        0x055849255085988L,0x08901d447d87247L,0x01b8907e7d43706L,
        0x1bfd22aab1f2722L,0x060a7aca92c3e92L,0x0148900c0f25995L,
        0x0c246991ced0a72L,0x1a468435c666ed0L,0x02bb84cde88c96cL,
        0x04a7eacddaa13ecL,0x1d83d30e091147fL,0x00fd313d2e0839dL } },
    /* 243 */
    { { 0x11222a242478fd4L,0x06378b385900050L,0x013e0d671b7ab3dL,
        0x12f7279b79ee376L,0x030db60b618e282L,0x0d9d94cb70dd719L,
        0x15777c5ff4ed259L,0x0ff4b0c738d78e0L,0x0c3ea92ed4b817dL,
        0x0415953691d8452L,0x048a2b705c043a4L,0x1c8c41d13b2f08eL,
        0x1703ff77c9753b9L,0x15df3072e7bf27cL,0x03805f5b0fe0914L,
        0x0bdb73c86597970L,0x03e150a5acdc0a4L,0x033dc5e82a3cc3aL },
      { 0x06079b4f4797cf7L,0x04cc5681fef0173L,0x18e9532abbc78c7L,
        0x1deec92e22b546eL,0x0f29b1a764d9a1fL,0x136549be706e39dL,
        0x1a9e19986c20fedL,0x0c37e9ae9fc65f6L,0x125f6ef09df00a5L,
        0x1e21c1fc18e88acL,0x1304314daf78dcaL,0x1f3f10598cb6dabL,
        0x13451a99b8d4945L,0x15d608d240fa478L,0x029282850058735L,
        0x150493b29a9dbe3L,0x0df65363165a467L,0x03a14bd54d264d7L } },
    /* 244 */
    { { 0x09758a4e21124baL,0x0c0cc543ffde962L,0x1744f598e2a266fL,
        0x102bef7eec8bf79L,0x04e6d57e94645ffL,0x130edcafd339b7eL,
        0x051287ab991d64bL,0x0e8f2aeb81997bfL,0x0a3d1304725b31dL,
        0x040ef912655ad73L,0x1f4a6468a21fc9eL,0x0b2144d588b31b7L,
        0x12d8661d4a23d07L,0x0500a07b972c4c2L,0x0cde0a8ded704eeL,
        0x09d201f28333c7fL,0x112722aa0591bc1L,0x044d55bdd6aadddL },
      { 0x1345a96d656bdc7L,0x0e457f0bb669dc5L,0x02d8cb59310d0efL,
        0x0ef3705683ad2a3L,0x1fb0cf82fcf364aL,0x00943dc83d9a277L,
        0x043bfcf4320f144L,0x0b9d3e4d4b2699bL,0x1e5f5aaf207082bL,
        0x15b963af673e0b2L,0x042a06fa61b3593L,0x131ffe2a6d55d2bL,
        0x03a8263d5efeef4L,0x0a574395822b012L,0x081da1a502f853dL,
        0x09af57dcf7993c6L,0x146d496a27dc1bcL,0x00016e14baca055L } },
    /* 245 */
    { { 0x0533937b69d60c3L,0x1f2a97f4b93aaf7L,0x1e37031c9698982L,
        0x1d9565cf85623f6L,0x0e2322cb6982c27L,0x13827ba5e776ecfL,
        0x1859654ac67b448L,0x10a5be9850b0a94L,0x0ba40b5bf7b1924L,
        0x05e54a8008cfa95L,0x1f472f96b761bffL,0x0df7b3a1e582e8cL,
        0x14b8d4ebc99bf53L,0x02d4098b9e14b71L,0x0cd7dd81257e3d0L,
        0x0424518b3d1ace6L,0x0730b53d324e054L,0x026ab229a9e1dedL },
      { 0x122f8007e5c0877L,0x1a1f30654d3b239L,0x1d2e8b049c59206L,
        0x0fda626d84463e9L,0x18db30de0959685L,0x08475e574131911L,
        0x08c7994beb50266L,0x092171a30295e1aL,0x02680c54b09cbc3L,
        0x0a2b179a5f9dfc7L,0x14242c24ad657ffL,0x1948bc2bf868530L,
        0x11bc378168e6f39L,0x022d2543b80ba8cL,0x085506a41a512ceL,
        0x19169598dae9505L,0x062adc9bab3b155L,0x00f97c4e73b9836L } },
    /* 246 */
    { { 0x053ef419affefdfL,0x1f672a67c92b5c1L,0x0bcad113920c175L,
        0x1f974a8e3e6ee00L,0x15cbe015b189755L,0x05c214e44241e5eL,
        0x1d874953df1a5a8L,0x0ae310a17a8c3e7L,0x17ba210890a2471L,
        0x0d5de176c977586L,0x1b2afa5977b224dL,0x0e4978aad095f6aL,
        0x0f6a7a74929da23L,0x177a5d236c5d1cbL,0x026c9ebf2e436dcL,
        0x06cddba469fc132L,0x147bdf3c16476f4L,0x004e404bf8bf286L },
      { 0x004b14060050c07L,0x1418c21d471bf35L,0x06caed57907f0a7L,
        0x1459cc1c7597285L,0x1b9d82f4ed2fea5L,0x1e9bfd6e3d8ff9eL,
        0x1d4e523afb30da1L,0x124f22a7c65d960L,0x06a60054f570756L,
        0x038e6864003acddL,0x1ce1bcc248b7c4eL,0x0b3d066af6f82f4L,
        0x09394151864e9fcL,0x09a6dc448e9359dL,0x1f36dc644a8088bL,
        0x0606ccce5f9e8b3L,0x16c5a3f268d44ffL,0x037889f69b488f0L } },
    /* 247 */
    { { 0x0a9df591836f1c9L,0x08cfaa119183ea9L,0x1c0577b4a16be99L,
        0x155ec4feeb080d8L,0x0ce0417d0a1545cL,0x089a21d70888f75L,
        0x12f2feca2f7da98L,0x0b1bd3de156a5b7L,0x1e9dc181b7813e6L,
        0x18ed5edcc893912L,0x16638c8a0531642L,0x0cddb269dcfcbe0L,
        0x1ab99ba4bf5c3b9L,0x1e0daaf3a75c276L,0x0aa183eca4668d0L,
        0x03fed535bb69329L,0x1e21b7220dff681L,0x0331b511de8d0c1L },
      { 0x15d5a2d20587283L,0x01164f783fe2eefL,0x15543bdb78e02ceL,
        0x0e4ba2ce3a2f0d7L,0x1cdb1def163cf90L,0x017e253a5fcb8f8L,
        0x153dd5d27a0c021L,0x1961c5db78e4ff0L,0x1bb27bbdabce24aL,
        0x0d8ce7602df6846L,0x0848fbdf2412f30L,0x1e37b13305b755bL,
        0x0e65f6e63202429L,0x172cfe9924e9b0bL,0x07ca7d68de27ea3L,
        0x0f1402c174775fdL,0x0f80f2d3b61af53L,0x03d77663b39e153L } },
    /* 248 */
    { { 0x1a4757cdc43b0dbL,0x12742cc08ce56f9L,0x0fd9185b0558f62L,
        0x189ea67d2ff012bL,0x19cfc5ad3e2a07bL,0x14029654c121b39L,
        0x1b198629ae8eb35L,0x12b7ac1cb211439L,0x1ae3841a502b1b6L,
        0x036ff890c850cadL,0x0afab2b4c7f66e6L,0x044998e51ef65beL,
        0x180cf0a9927d893L,0x0c35227561c7539L,0x057c0f2a10e6a01L,
        0x1f10bdbcfefe02cL,0x0454824990827a1L,0x0147620035bc53bL },
      { 0x1820c2ea2fe0009L,0x1d2e9789c3a74f0L,0x115314936d4b846L,
        0x0cffdbca532ea44L,0x1b2500d44d47742L,0x14922580e9a0cd4L,
        0x186e73822924861L,0x1c1742d2047ba37L,0x0242c3e5432a301L,
        0x1ab7bdd384833c4L,0x14a8271d2a33126L,0x1083aedf2873e15L,
        0x0b621fb60e99cd1L,0x1e1cbb1a76ed7f0L,0x1fc2a1015afb952L,
        0x1815e8ca7f0c1feL,0x1c36bd4876f2011L,0x009a7a663864a92L } },
    /* 249 */
    { { 0x021a3ece938dff4L,0x00d3da4353cd1cbL,0x1e5f7a5414ddf44L,
        0x13ccbb0fb7e589dL,0x173b8cfaf318409L,0x0148b75c4e3ffd9L,
        0x09d91a2ea9417a1L,0x0574f21fa129d7dL,0x1679df6d4e59289L,
        0x011998e7e7f6ba0L,0x13bf4a6203fc848L,0x1bbba0688a0217eL,
        0x0b342858c87ca78L,0x12baa43d16584f6L,0x12c1246797adb70L,
        0x1a8e2a0ceb42bd7L,0x0f409d2e74f7381L,0x03751bc14c1e9ebL },
      { 0x05c094b4e5cc40aL,0x11fb50d79befde3L,0x1a77e409b911e8bL,
        0x0b27101ea7decefL,0x1f644aa9b7878c9L,0x10461e25518583bL,
        0x198ee83145a0cbcL,0x060f804ef5ccb1aL,0x0ef0b3c38ae1d91L,
        0x0179bd3b4ae1f52L,0x130715a8317834cL,0x0b8841979f3fc00L,
        0x1d568a0e7c9fd49L,0x0c94322a3836adcL,0x069c2722c8977fdL,
        0x11ad0a4fa88cb1bL,0x07d47c558da87c0L,0x0303773735da778L } },
    /* 250 */
    { { 0x0d99fc757c621f6L,0x12060bff41ea401L,0x1e867bc666c0a4bL,
        0x05cc58eccc37bf8L,0x0673875378a0410L,0x1d32d78b66d1b87L,
        0x18826f2065d3478L,0x18c32e84091ef1fL,0x1c83a058abf5981L,
        0x135921a4e44b816L,0x0cbc7a74699e2bcL,0x1361fe535c53311L,
        0x181d7cf5ec472bfL,0x19346eec50a1f1cL,0x113fdda7275f916L,
        0x0ece62cd9b4aabfL,0x1076044cdf0a4aaL,0x024edd37bf48a43L },
      { 0x0e47fb2a758e37aL,0x198eb96c757b310L,0x17e5be708842bdaL,
        0x0f21df86566a55aL,0x01e4b2640093f72L,0x18abcaa1ae4cee2L,
        0x0d5d6fea1e38016L,0x0b3338a41481cceL,0x1ca68259487eea7L,
        0x14fbdc0f8951a45L,0x1f3060aa8b38d40L,0x0e97d5abc58b4a8L,
        0x1b55682cdfa11d8L,0x05df47334d781a4L,0x14e52afe1baffaaL,
        0x1d71e7b570f05eaL,0x18c458bf797ebc8L,0x0244853d24dbef3L } },
    /* 251 */
    { { 0x12996898da995f6L,0x15573f630ab77ebL,0x1030d5aa0b574e7L,
        0x03826b79fcd2b20L,0x0f595c78b2046b2L,0x02fda0753905b20L,
        0x0eff00a093beb9fL,0x17d2fb1fa981db6L,0x112f0290579f24eL,
        0x17e23e78c3f535cL,0x07f49de275708c5L,0x16d9124c7d99843L,
        0x128b6d30a6233a6L,0x04d99b40411b1a5L,0x11dd15b28d4b897L,
        0x00cb72711ad9481L,0x076f8e55b0b3c92L,0x02e0ba3a58121cdL },
      { 0x088e7c28aaccab5L,0x13c1b5567682decL,0x1df733b03d94600L,
        0x1824b8510430b70L,0x07fdc54c93cadc1L,0x1c4519a2efaa053L,
        0x1e8b13cf21b8b09L,0x19e7d0e88d3c741L,0x1c59daa47273983L,
        0x031e245a54b6c52L,0x14af3f0b962454cL,0x170f09c85187871L,
        0x0cf0c4fd5390e78L,0x0a0f3002c805149L,0x094e872dfe4b6deL,
        0x01f4f2acf2482d9L,0x08c35f6f31db1abL,0x02eb3af5a3dac20L } },
    /* 252 */
    { { 0x0ee1a77870c6025L,0x111dbc8d16fe557L,0x0310e1ad9313f12L,
        0x1bcb5ce562f61ccL,0x1eefa212d5d5b17L,0x01c5cb36fe44564L,
        0x0bb313fabbefb50L,0x00e133586ad1c5aL,0x0548ea612012af2L,
        0x1ff6cedc4e1890cL,0x1a47138399ccc53L,0x0c9f5f0601c0383L,
        0x1c6773c3be009bbL,0x00410cfd43c0280L,0x06c1bff8335bb7bL,
        0x166def80abc0ff0L,0x0a382b63f9ce080L,0x0017e65d7854ff6L },
      { 0x191d4d1b47cac61L,0x08b43d5c370964cL,0x17b0ae53c108ba7L,
        0x1291cc91cb18d0aL,0x0f89ac57ca40051L,0x13c966cdd48fd97L,
        0x078553d0648186fL,0x03305a443977a1eL,0x0062eb13bfc4440L,
        0x1d4be194cbc87eeL,0x05b651819e992fcL,0x0600da46eeb49cfL,
        0x15ed7f0f23c46ddL,0x1da7b1ebc339626L,0x189cfca08614770L,
        0x01edea1475c19a4L,0x145800e58fceac6L,0x02b78f22b09c22aL } },
    /* 253 */
    { { 0x1ccb3f632c24f3bL,0x18e3f836c0bf300L,0x02edaa899dda67aL,
        0x1c108babc11b8c8L,0x181a79a87838affL,0x140cd879a7f658fL,
        0x092e1a8b8a0b4f9L,0x0738972ef9d046fL,0x10f46b3db876364L,
        0x032faa04bcb824bL,0x021d8a1e46f90e9L,0x16d868331d8dafcL,
        0x17093d94bb00220L,0x14eb48592bd9c31L,0x0ab46921004b858L,
        0x069c605d93b6a41L,0x0f8afee2fc685dcL,0x0488e8c9b12a806L },
      { 0x1b1bd58f5e5af5bL,0x1131dbdb5115389L,0x1137cebcab729f2L,
        0x134088417b56d7dL,0x0ba36c1116651e5L,0x0121881da2459daL,
        0x1b2ecf18aff37fdL,0x101bc2b894be352L,0x0be0ad8a1e4d1f9L,
        0x095e8a71b339d1dL,0x00ebda484ab3760L,0x1738aec12b9c806L,
        0x0a107f5ca58f6daL,0x044b51d83ef8c41L,0x18ecfc2e40f98f2L,
        0x10fbdea090a89b0L,0x0655e5019b9c098L,0x015f3a27f507a9cL } },
    /* 254 */
    { { 0x14cd05f5b50f324L,0x0f5920f51e3d102L,0x0971ffe39adee6cL,
        0x1dd8081104950b1L,0x10cba9bdd83902fL,0x0e4f0f3959324a6L,
        0x16e07405dbe42caL,0x1f80ba9d6059d75L,0x0874405b1372b8bL,
        0x0209440bcf568c8L,0x08f74fb0ad23357L,0x14ee7e9aa067a89L,
        0x0d564c3a0984499L,0x1a17401dd9bd9c6L,0x1d462ca03a6525fL,
        0x1fbc980f68f4171L,0x07ac710e3c53568L,0x039afaa17e75687L },
      { 0x0a9a17138380039L,0x17f0bfba68ce465L,0x04fb32f06a2eb7eL,
        0x13fc052e0b25a87L,0x130e9b363c5dbf3L,0x1ea4a522a95ad5cL,
        0x0b10dfb98c0c8abL,0x13104d535ae7e05L,0x198c53562993562L,
        0x0434fc3b9a15d9cL,0x04008393e6de683L,0x0349a68f1353aeaL,
        0x1acfa856376361dL,0x045603f2786f6adL,0x1bc72f501fb9cfeL,
        0x0b75bf58fa07e13L,0x19e25d697cb4d47L,0x00f4c264e8a5e9cL } },
    /* 255 */
    { { 0x16d05614850c817L,0x12d8c9a44c096e3L,0x055179632efac22L,
        0x1497cc3cb4e4e7aL,0x17aeb8e18900b5fL,0x0d1ea5d5044348eL,
        0x1f4f799999abf4dL,0x0b871458332afd8L,0x0a0648e8f668d6fL,
        0x1cfe4963d6e0ba3L,0x045b0210c1970c7L,0x1440c3cd5cd2474L,
        0x162aa47e7336370L,0x0f7fb6c231361b9L,0x0fb4b51503097cbL,
        0x12925300904999bL,0x0014b5bfce0039aL,0x03623a52b3b4a17L },
      { 0x0eb9a417d88e3a1L,0x09e4462423a151dL,0x0344ff9844c4417L,
        0x16350d3d17cb3bdL,0x0a75d90a148f5b6L,0x0a3009bd455e2cdL,
        0x13364bc326f1d88L,0x12487f54e8f8704L,0x081763a186a5d0bL,
        0x1e1a0de4de5d75eL,0x04c583dd174776eL,0x0a5b6eb9cbe9c30L,
        0x0cd50de4c2a53ceL,0x1aebb2b68af5733L,0x12954a97b6265b1L,
        0x00b69c9feae2389L,0x0ce215e985a3c53L,0x03592c4aa7d0dd1L } },
};

/* Multiply the base point of P1024 by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * Stripe implementation.
 * Pre-generated: 2^0, 2^128, ...
 * Pre-generated: products of all combinations of above.
 * 8 doubles and adds (with qz=1)
 *
 * r     Resulting point.
 * k     Scalar to multiply by.
 * map   Indicates whether to convert result to affine.
 * ct    Constant time required.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
static int sp_1024_ecc_mulmod_base_18(sp_point_1024* r, const sp_digit* k,
        int map, int ct, void* heap)
{
    return sp_1024_ecc_mulmod_stripe_18(r, &p1024_base, p1024_table,
                                      k, map, ct, heap);
}

#endif

/* Multiply the base point of P1024 by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * km    Scalar to multiply by.
 * r     Resulting point.
 * map   Indicates whether to convert result to affine.
 * heap  Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_mulmod_base_1024(const mp_int* km, ecc_point* r, int map, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_1024* point = NULL;
    sp_digit* k = NULL;
#else
    sp_point_1024  point[1];
    sp_digit k[18];
#endif
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    point = (sp_point_1024*)XMALLOC(sizeof(sp_point_1024), heap,
                                         DYNAMIC_TYPE_ECC);
    if (point == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 18, heap,
                               DYNAMIC_TYPE_ECC);
        if (k == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        sp_1024_from_mp(k, 18, km);

            err = sp_1024_ecc_mulmod_base_18(point, k, map, 1, heap);
    }
    if (err == MP_OKAY) {
        err = sp_1024_point_to_ecc_point_18(point, r);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (k != NULL)
        XFREE(k, heap, DYNAMIC_TYPE_ECC);
    if (point != NULL)
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

/* Multiply the base point of P1024 by the scalar, add point a and return
 * the result. If map is true then convert result to affine coordinates.
 *
 * km      Scalar to multiply by.
 * am      Point to add to scalar multiply result.
 * inMont  Point to add is in montgomery form.
 * r       Resulting point.
 * map     Indicates whether to convert result to affine.
 * heap    Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_mulmod_base_add_1024(const mp_int* km, const ecc_point* am,
        int inMont, ecc_point* r, int map, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_1024* point = NULL;
    sp_digit* k = NULL;
#else
    sp_point_1024 point[2];
    sp_digit k[18 + 18 * 2 * 37];
#endif
    sp_point_1024* addP = NULL;
    sp_digit* tmp = NULL;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    point = (sp_point_1024*)XMALLOC(sizeof(sp_point_1024) * 2, heap,
                                         DYNAMIC_TYPE_ECC);
    if (point == NULL)
        err = MEMORY_E;
    if (err == MP_OKAY) {
        k = (sp_digit*)XMALLOC(
            sizeof(sp_digit) * (18 + 18 * 2 * 37),
            heap, DYNAMIC_TYPE_ECC);
        if (k == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        addP = point + 1;
        tmp = k + 18;

        sp_1024_from_mp(k, 18, km);
        sp_1024_point_from_ecc_point_18(addP, am);
    }
    if ((err == MP_OKAY) && (!inMont)) {
        err = sp_1024_mod_mul_norm_18(addP->x, addP->x, p1024_mod);
    }
    if ((err == MP_OKAY) && (!inMont)) {
        err = sp_1024_mod_mul_norm_18(addP->y, addP->y, p1024_mod);
    }
    if ((err == MP_OKAY) && (!inMont)) {
        err = sp_1024_mod_mul_norm_18(addP->z, addP->z, p1024_mod);
    }
    if (err == MP_OKAY) {
            err = sp_1024_ecc_mulmod_base_18(point, k, 0, 0, heap);
    }
    if (err == MP_OKAY) {
            sp_1024_proj_point_add_18(point, point, addP, tmp);

        if (map) {
                sp_1024_map_18(point, point, tmp);
        }

        err = sp_1024_point_to_ecc_point_18(point, r);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (k != NULL)
        XFREE(k, heap, DYNAMIC_TYPE_ECC);
    if (point)
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

#ifndef WOLFSSL_SP_SMALL
/* Generate a pre-computation table for the point.
 *
 * gm     Point to generate table for.
 * table  Buffer to hold pre-computed points table.
 * len    Length of table.
 * heap   Heap to use for allocation.
 * returns BAD_FUNC_ARG when gm or len is NULL, LENGTH_ONLY_E when table is
 * NULL and length is returned, BUFFER_E if length is too small and 0 otherwise.
 */
int sp_ecc_gen_table_1024(const ecc_point* gm, byte* table, word32* len,
    void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_1024* point = NULL;
    sp_digit* t = NULL;
#else
    sp_point_1024 point[1];
    sp_digit t[38 * 2 * 18];
#endif
    int err = MP_OKAY;

    if ((gm == NULL) || (len == NULL)) {
        err = BAD_FUNC_ARG;
    }

    if ((err == MP_OKAY) && (table == NULL)) {
        *len = sizeof(sp_table_entry_1024) * 256;
        err = LENGTH_ONLY_E;
    }
    if ((err == MP_OKAY) && (*len < (int)(sizeof(sp_table_entry_1024) * 256))) {
        err = BUFFER_E;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        point = (sp_point_1024*)XMALLOC(sizeof(sp_point_1024), heap,
            DYNAMIC_TYPE_ECC);
        if (point == NULL)
            err = MEMORY_E;
    }
    if (err == MP_OKAY) {
        t = (sp_digit*)XMALLOC(sizeof(sp_digit) * 38 * 2 * 18, heap,
            DYNAMIC_TYPE_ECC);
        if (t == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        sp_1024_point_from_ecc_point_18(point, gm);
            err = sp_1024_gen_stripe_table_18(point,
                (sp_table_entry_1024*)table, t, heap);
    }
    if (err == 0) {
        *len = sizeof(sp_table_entry_1024) * 256;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t != NULL)
        XFREE(t, heap, DYNAMIC_TYPE_ECC);
    if (point != NULL)
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}
#else
/* Generate a pre-computation table for the point.
 *
 * gm     Point to generate table for.
 * table  Buffer to hold pre-computed points table.
 * len    Length of table.
 * heap   Heap to use for allocation.
 * returns BAD_FUNC_ARG when gm or len is NULL, LENGTH_ONLY_E when table is
 * NULL and length is returned, BUFFER_E if length is too small and 0 otherwise.
 */
int sp_ecc_gen_table_1024(const ecc_point* gm, byte* table, word32* len,
    void* heap)
{
    int err = 0;

    if ((gm == NULL) || (len == NULL)) {
        err = BAD_FUNC_ARG;
    }

    if ((err == 0) && (table == NULL)) {
        *len = 0;
        err = LENGTH_ONLY_E;
    }
    if ((err == 0) && (*len != 0)) {
        err = BUFFER_E;
    }
    if (err == 0) {
        *len = 0;
    }

    (void)heap;

    return err;
}
#endif
/* Multiply the point by the scalar and return the result.
 * If map is true then convert result to affine coordinates.
 *
 * km     Scalar to multiply by.
 * gm     Point to multiply.
 * table  Pre-computed points.
 * r      Resulting point.
 * map    Indicates whether to convert result to affine.
 * heap   Heap to use for allocation.
 * returns MEMORY_E when memory allocation fails and MP_OKAY on success.
 */
int sp_ecc_mulmod_table_1024(const mp_int* km, const ecc_point* gm, byte* table,
        ecc_point* r, int map, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_1024* point = NULL;
    sp_digit* k = NULL;
#else
    sp_point_1024 point[1];
    sp_digit k[18];
#endif
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    point = (sp_point_1024*)XMALLOC(sizeof(sp_point_1024), heap,
        DYNAMIC_TYPE_ECC);
    if (point == NULL) {
        err = MEMORY_E;
    }
    if (err == MP_OKAY) {
        k = (sp_digit*)XMALLOC(sizeof(sp_digit) * 18, heap, DYNAMIC_TYPE_ECC);
        if (k == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        sp_1024_from_mp(k, 18, km);
        sp_1024_point_from_ecc_point_18(point, gm);

#ifndef WOLFSSL_SP_SMALL
            err = sp_1024_ecc_mulmod_stripe_18(point, point,
                (const sp_table_entry_1024*)table, k, map, 0, heap);
#else
        (void)table;
        err = sp_1024_ecc_mulmod_18(point, point, k, map, 0, heap);
#endif
    }
    if (err == MP_OKAY) {
        err = sp_1024_point_to_ecc_point_18(point, r);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (k != NULL)
        XFREE(k, heap, DYNAMIC_TYPE_ECC);
    if (point != NULL)
        XFREE(point, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

/* Multiply p* in projective coordinates by q*.
 *
 * r.x = p.x - (p.y * q.y)
 * r.y = (p.x * q.y) + p.y
 *
 * px  [in,out]  A single precision integer - X ordinate of number to multiply.
 * py  [in,out]  A single precision integer - Y ordinate of number to multiply.
 * q   [in]      A single precision integer - multiplier.
 * t   [in]      Two single precision integers - temps.
 */
static void sp_1024_proj_mul_qx1_18(sp_digit* px, sp_digit* py,
        const sp_digit* q, sp_digit* t)
{
    sp_digit* t1 = t;
    sp_digit* t2 = t + 2 * 18;

    /* t1 = p.x * q.y */
    sp_1024_mont_mul_18(t1, px, q, p1024_mod, p1024_mp_mod);
    /* t2 = p.y * q.y */
    sp_1024_mont_mul_18(t2, py, q, p1024_mod, p1024_mp_mod);
    /* r.x = p.x - (p.y * q.y) */
    sp_1024_mont_sub_18(px, px, t2, p1024_mod);
    /* r.y = (p.x * q.y) + p.y */
    sp_1024_mont_add_18(py, t1, py, p1024_mod);
}

/* Square p* in projective coordinates.
 *
 *   px' = (p.x + p.y) * (p.x - p.y) = p.x^2 - p.y^2
 *   py' = 2 * p.x * p.y
 *
 * px  [in,out]  A single precision integer - X ordinate of number to square.
 * py  [in,out]  A single precision integer - Y ordinate of number to square.
 * t   [in]      Two single precision integers - temps.
 */
static void sp_1024_proj_sqr_18(sp_digit* px, sp_digit* py, sp_digit* t)
{
    sp_digit* t1 = t;
    sp_digit* t2 = t + 2 * 18;

    /* t1 = p.x + p.y */
    sp_1024_mont_add_18(t1, px, py, p1024_mod);
    /* t2 = p.x - p.y */
    sp_1024_mont_sub_18(t2, px, py, p1024_mod);
    /* r.y = p.x * p.y */
    sp_1024_mont_mul_18(py, px, py, p1024_mod, p1024_mp_mod);
    /* r.x = (p.x + p.y) * (p.x - p.y) */
    sp_1024_mont_mul_18(px, t1, t2, p1024_mod, p1024_mp_mod);
    /* r.y = (p.x * p.y) * 2 */
    sp_1024_mont_dbl_18(py, py, p1024_mod);
}

#ifdef WOLFSSL_SP_SMALL
/* Perform the modular exponentiation in Fp* for SAKKE.
 *
 * Simple square and multiply when expontent bit is one algorithm.
 * Square and multiply performed in Fp*.
 *
 * base  [in]   Base. MP integer.
 * exp   [in]   Exponent. MP integer.
 * res   [out]  Result. MP integer.
 * returns 0 on success and MEMORY_E if memory allocation fails.
 */
int sp_ModExp_Fp_star_1024(const mp_int* base, mp_int* exp, mp_int* res)
{
#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
    sp_digit* td;
    sp_digit* t;
    sp_digit* tx;
    sp_digit* ty;
    sp_digit* b;
    sp_digit* e;
#else
    sp_digit t[36 * 2 * 18];
    sp_digit tx[2 * 18];
    sp_digit ty[2 * 18];
    sp_digit b[2 * 18];
    sp_digit e[2 * 18];
#endif
    sp_digit* r;
    int err = MP_OKAY;
    int bits;
    int i;

#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 40 * 18 * 2, NULL,
                            DYNAMIC_TYPE_TMP_BUFFER);
    if (td == NULL) {
        err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
        t  = td;
        tx = td + 36 * 18 * 2;
        ty = td + 37 * 18 * 2;
        b  = td + 38 * 18 * 2;
        e  = td + 39 * 18 * 2;
#endif
        r = ty;

        bits = mp_count_bits(exp);
        sp_1024_from_mp(b, 18, base);
        sp_1024_from_mp(e, 18, exp);

        XMEMCPY(tx, p1024_norm_mod, sizeof(sp_digit) * 18);
        sp_1024_mul_18(b, b, p1024_norm_mod);
        err = sp_1024_mod_18(b, b, p1024_mod);
    }
    if (err == MP_OKAY) {
        XMEMCPY(ty, b, sizeof(sp_digit) * 18);

        for (i = bits - 2; i >= 0; i--) {
            sp_1024_proj_sqr_18(tx, ty, t);
            if ((e[i / 57] >> (i % 57)) & 1) {
                sp_1024_proj_mul_qx1_18(tx, ty, b, t);
            }
        }
    }

    if (err == MP_OKAY) {
        sp_1024_mont_inv_18(tx, tx, t);

        XMEMSET(tx + 18, 0, sizeof(sp_digit) * 18);
        sp_1024_mont_reduce_18(tx, p1024_mod, p1024_mp_mod);
        XMEMSET(ty + 18, 0, sizeof(sp_digit) * 18);
        sp_1024_mont_reduce_18(ty, p1024_mod, p1024_mp_mod);

        sp_1024_mul_18(r, tx, ty);
        err = sp_1024_mod_18(r, r, p1024_mod);
    }
    if (err == MP_OKAY) {
        err = sp_1024_to_mp(r, res);
    }

#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
    if (td != NULL) {
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
    }
#endif
    return err;
}

#else
/* Pre-computed table for exponentiating g.
 * Striping: 8 points at a distance of (128 combined for
 * a total of 256 points.
 */
static const sp_digit sp_1024_g_table[256][18] = {
    { 0x000000000000000L, 0x000000000000000L, 0x000000000000000L,
      0x000000000000000L, 0x000000000000000L, 0x000000000000000L,
      0x000000000000000L, 0x000000000000000L, 0x000000000000000L,
      0x000000000000000L, 0x000000000000000L, 0x000000000000000L,
      0x000000000000000L, 0x000000000000000L, 0x000000000000000L,
      0x000000000000000L, 0x000000000000000L, 0x000000000000000L },
    { 0x10a46d2335c1685L, 0x0f4b8f0803d2c0bL, 0x0f7d0f2929cfab2L,
      0x0b04c848ea81d1eL, 0x136576d12646f81L, 0x1f8d7d9d7a4dda5L,
      0x1479b6278b451caL, 0x0f84f7d10585fa2L, 0x1addedc858f8871L,
      0x16c2cdf8b563637L, 0x10686cb63ab9635L, 0x1400c383e61a1ceL,
      0x1a9b67e0966faf7L, 0x1e9da7beb36de84L, 0x09f263887c47019L,
      0x16442c2a574058eL, 0x0f4afd58891e86cL, 0x02cf49e3535e9ddL },
    { 0x14dd36f71dd4594L, 0x0e64f805778f372L, 0x113a867d94c2ef2L,
      0x127ea412513d4b4L, 0x0f5c14188588aa9L, 0x09ccfd4ba9bca64L,
      0x1aad4462f5e4b04L, 0x0a5737a75fbeb96L, 0x1813d1cb22ecb96L,
      0x0a2b133a01c4c09L, 0x1c466d2b210c73fL, 0x152214301d6ca3eL,
      0x179f7bfa2edd9f6L, 0x0854e86c89ca368L, 0x00dcf4c5bc618c5L,
      0x0a572be33841adfL, 0x003be85ac6a9b6aL, 0x031f78c3dba7b17L },
    { 0x0376b7f016f45e7L, 0x1edab95f6417c3eL, 0x1d07390a6d80706L,
      0x058f5fb03ae725eL, 0x1241098b6fdbf0aL, 0x107c67ded20d8fbL,
      0x0f1356d01d1d2edL, 0x17d267c1a836661L, 0x1ae182830733fa3L,
      0x07694cd87ae3668L, 0x0cd538fe6183228L, 0x130c2aab3882ffeL,
      0x1c129f85cbb1360L, 0x03b42fdf55865b1L, 0x06658cda0bb3125L,
      0x059b4a0bd1d85d6L, 0x02390dcc794ddacL, 0x027f33c8e78c96dL },
    { 0x0a423d505e8733cL, 0x02f328eab8be0caL, 0x1a23a586cc8b321L,
      0x0db683039846f8fL, 0x113bd7210c4471cL, 0x00bd8480643af13L,
      0x1abda77f7a7b6cbL, 0x14c8614dbcbd119L, 0x1aaa7a61a7b81ceL,
      0x1296813119fcc6aL, 0x1bf74181a26a6baL, 0x0f9cb95895576abL,
      0x148e95076130cfaL, 0x074d0f297d26d88L, 0x01005c0c255c311L,
      0x1b3a431843ec234L, 0x097555d1ffebe78L, 0x00224150c2b0ed9L },
    { 0x1758ac273d486d8L, 0x0fca330e6e0f3f3L, 0x07f08622ad3e05aL,
      0x05e66e6c60e4793L, 0x1d8c2260a0e54f0L, 0x18de302b05f712dL,
      0x1fad4a3f0c1f114L, 0x06fade43e34fc89L, 0x1c8e4499c57128dL,
      0x11d829f6bd97522L, 0x09e810ca8f488a5L, 0x0a9a6a8b2cd0818L,
      0x1fd73557e95b518L, 0x034903bd3370d24L, 0x0d09c083499ff66L,
      0x1b689f426a1a7ceL, 0x09f1a9c3f2568ccL, 0x0419d07fc6f6dfcL },
    { 0x0c419c7ab376b76L, 0x14a7993e8786654L, 0x078aa4314534edcL,
      0x1d4c4aeb4dcad77L, 0x098c0a88931ba51L, 0x00b5152b7f703d8L,
      0x0982c12f96bbad3L, 0x0e1ca266a17cdd6L, 0x1339edad6a1d5c2L,
      0x1b376acf4edd6e8L, 0x0efa20b741bb03cL, 0x139196230fb6842L,
      0x01d8a1058a22d63L, 0x115ba2788ff64afL, 0x1c170300fdcfa9aL,
      0x02340e83faa35e9L, 0x05f2e2df95a85f8L, 0x034959e71f5924bL },
    { 0x0e6cb72d2a127b4L, 0x03752c7c940b786L, 0x118d1e8dd8599a9L,
      0x03c1572ddc87d9eL, 0x12edbe8c163d9a0L, 0x127332e40a2e36dL,
      0x14be4bd09b2b937L, 0x0622e9a1680e9c4L, 0x054c240d77d2af8L,
      0x00fd1cb9eb2949bL, 0x05247282751a556L, 0x0a66a8a4c8780b7L,
      0x11d41283278c4e8L, 0x181b0f92996b219L, 0x1bc27c9911e40e1L,
      0x0bfc0ee83236313L, 0x0d6c0cf0aaf81deL, 0x0199f21857a0021L },
    { 0x1f04de4cf26d3b7L, 0x1b9835a9fbcdf2eL, 0x117c6022d9915e9L,
      0x090a06e6c148027L, 0x0b061037ef291eaL, 0x0489dd8ffe4ebe8L,
      0x0161f6741376597L, 0x0ab29146f5fe277L, 0x0b5443483fe3ee7L,
      0x1e10f3a023189c3L, 0x041397377ad630fL, 0x10c4cae59aa5674L,
      0x0115aaa40894fe1L, 0x02cf523175cd38dL, 0x1ac0a8e2b71bf95L,
      0x123a37631a2ea95L, 0x108ae1276362f77L, 0x00874598eeb5debL },
    { 0x07f03e53ed9f1afL, 0x0923bab33b0b35cL, 0x18c1d33856e00ebL,
      0x004d63d0b671b9aL, 0x1af99c151877e2bL, 0x012a3d58b2a68b8L,
      0x17bd65e0ba7924eL, 0x098db8ff8f84daaL, 0x19038f95d2fbeb5L,
      0x12c86ff01b601abL, 0x0dbab93f70fdfffL, 0x18a9e6bc35119f9L,
      0x12da0a5568cb1fbL, 0x0db7aaab9e470edL, 0x0b0281a6a1ce4fdL,
      0x12b5670c8d665cfL, 0x0bcfd261c832a84L, 0x03242a926066e62L },
    { 0x0bfb3e2c4a6ff2aL, 0x01fdd1ad321450dL, 0x1fc226bfdd08aa8L,
      0x1574bb7b2710844L, 0x12a182cb2337883L, 0x100f829c0c3574eL,
      0x079eae7c1d93526L, 0x0b724823fd722f6L, 0x0700b1903570cbbL,
      0x0a8c0eadc8a5f3eL, 0x1110dc660460b57L, 0x1a48ae97332e26bL,
      0x15632d28b232758L, 0x1d1c1f84d328547L, 0x08cf600901e2eb3L,
      0x16892ca8d4c1801L, 0x03ca4061c7a2df8L, 0x00fbb79f9791a2bL },
    { 0x0a2c14344c436b0L, 0x182ab0fb4e43d4dL, 0x05ed7db6cb7de41L,
      0x03daad75046be62L, 0x1d0afa4885761f4L, 0x0e738f7c18a327bL,
      0x1d222a67ca454ebL, 0x07564f7ed2622d6L, 0x0a98a5a8c9bb944L,
      0x1c3c0131772fef4L, 0x1e4f74604ab2ddfL, 0x0999b909792474dL,
      0x0ff1d4995aaf92aL, 0x0276c4ce9e12b15L, 0x14a94e3f67f0cf0L,
      0x14e4d805195289dL, 0x005d0f367bb049eL, 0x0024927fd9e8847L },
    { 0x0548e3dc673562fL, 0x19812f175724603L, 0x0cad7871a5df4ecL,
      0x08dd7caaf7cc3faL, 0x01d6e18e424e206L, 0x0bf4adbb39c8e02L,
      0x06e312e3aee3853L, 0x1a695d16fa84132L, 0x0f8a0df66e01290L,
      0x0bf1251c92f2fa7L, 0x1ecb2c54209cab2L, 0x0e5c4a0e4cc2f34L,
      0x029062fa49b40b0L, 0x19e29de76d6cf0cL, 0x0509e661e029e13L,
      0x1084cb15056ed3eL, 0x03508cd849cc146L, 0x026fe7404e1c057L },
    { 0x1069cb2d527b780L, 0x0d00acbbc986ea2L, 0x002f89f4098f54bL,
      0x0d765a36562198cL, 0x154adf3c34102c2L, 0x187fa3a6329311aL,
      0x1b9f35a244e0917L, 0x11507f5198b9522L, 0x11e10f139d15c8dL,
      0x0b9ee1740ee2b59L, 0x1b2c11713b66ebcL, 0x0fb08fa02450ff9L,
      0x139f3a532f307fdL, 0x110a9e111252b8aL, 0x0a2902167a7a077L,
      0x17a478ac4b2bbc8L, 0x002dc7daff89339L, 0x00683ac845c5034L },
    { 0x10af2a7de085f2aL, 0x06927df4cd972c3L, 0x0985672904ee23fL,
      0x090ab3f0a31181aL, 0x1622da0d1f02a2eL, 0x051b0ac1dcb010fL,
      0x11a0970170bd5b7L, 0x17c02919e38f221L, 0x0392f2896272695L,
      0x01e85dad46b277bL, 0x14891073f2f14a2L, 0x19d8a4c22fcbde1L,
      0x19f04928e9f5dafL, 0x1c9f97155b43095L, 0x0304544a0fdd134L,
      0x01bfdf7ddafdae0L, 0x15af2cde215a436L, 0x0127d4b0e178429L },
    { 0x167db3f616df7f6L, 0x02bec7dec819303L, 0x0a41ba0b551190cL,
      0x0ad12c87b62e9b5L, 0x0c89a0602284f34L, 0x013e890c58c8efeL,
      0x14516ead1abd35bL, 0x13cb4afe90d9312L, 0x0c03214e9cc942fL,
      0x19f0e47a0ca80acL, 0x0dd67ce6b50eac9L, 0x16ffca1dc2e719dL,
      0x1c8f4d7d4e5e1b8L, 0x1aab01f9fb1ad8fL, 0x14be9823bfddf8dL,
      0x16dc2403ec3a2eeL, 0x11494d7a03d4a6fL, 0x01b8e611efe2780L },
    { 0x09b115dda90c351L, 0x0b75f9b26ce0314L, 0x080bd942cc6db46L,
      0x08deaec85eef512L, 0x08100127cc28c16L, 0x06403dee27bf1b0L,
      0x103ca20db342371L, 0x0a62501e2adc004L, 0x03f9a6d7899cb39L,
      0x0524a699d40101cL, 0x05fa47a1f4d1d10L, 0x1a0e4dbbc4948adL,
      0x0d7640c30e70d97L, 0x0dd37363037b52cL, 0x0f04fa00f0b03a1L,
      0x1af1e661ed4f5e3L, 0x17f3e602e4fc9f4L, 0x0495b5e5006407dL },
    { 0x03d5c835f00822eL, 0x12b895c58b78917L, 0x07124ac28cc03a0L,
      0x1b4f9832a903865L, 0x1bb1413f6b4e32aL, 0x09651385f74e770L,
      0x0454fb7edeea92aL, 0x1f39a8e55f5d477L, 0x0e8f09e7e00f0c0L,
      0x070ec392e6f5db8L, 0x0eb8212a6d8eda9L, 0x03707fab1ecbfc5L,
      0x1aa3b62759f4014L, 0x1c8718446bf62f6L, 0x09df8c66abdb99dL,
      0x10e3842b5b0603eL, 0x09de7db4b98cf33L, 0x038ffb164a7817cL },
    { 0x04c71022a4a84d9L, 0x12566af5e38f355L, 0x0297c73595e38bbL,
      0x1fffe2414a76235L, 0x09e6503383f5ef9L, 0x0220c05262cc708L,
      0x0a30787a7e64328L, 0x0d717065a8deb30L, 0x0753f28a033af53L,
      0x176e258db6a7b45L, 0x19a4a9cb3347c24L, 0x1efba444c865dbbL,
      0x1ea3d2661cd3aa0L, 0x1ee1beed1c6ddb1L, 0x1bdad33c7867f1bL,
      0x174d2d83166a109L, 0x073e6a83fe9df1bL, 0x0207ea3f3afcac1L },
    { 0x188b746267140a4L, 0x1fe0f755b797dadL, 0x0239a6189521b6eL,
      0x025d6ddf85bb3d9L, 0x0ac8ff8869beebaL, 0x110ca867e110a54L,
      0x1eda6575725bad6L, 0x06f2671380a82e3L, 0x02d85d4521b4683L,
      0x06b45042089a12eL, 0x1004e7b1b085d05L, 0x172fee60109bca5L,
      0x061f578aa320cf0L, 0x1cdb57218d60b51L, 0x1529a5462e7eacfL,
      0x1c50cd1b04223b0L, 0x18c0b334d98dffbL, 0x02d8e08abf31c99L },
    { 0x0edaab172b6bb8fL, 0x12769017e496148L, 0x0f17f9a531ce371L,
      0x1f96a9b9c9e8574L, 0x032420dc316dc65L, 0x16e7ca6596b351bL,
      0x0b2745b9c1b9c15L, 0x15050138ec949e6L, 0x1ab18d830ea6edcL,
      0x1e8d67340e32fabL, 0x059471f684b0413L, 0x1acd8ef234903f2L,
      0x14785e67a30ac3bL, 0x0d07eac8db568e7L, 0x0718d13934ff113L,
      0x015679c2c9002dcL, 0x0f484de9cb833e5L, 0x04b1d5c1d53ab77L },
    { 0x04b47d8df4ea5a3L, 0x1440aae7f22ff4aL, 0x156228f0d592595L,
      0x1dcf933c2ba2dcfL, 0x155071bc84e55b3L, 0x02bee71ff71026fL,
      0x155c1c401bca410L, 0x159fd18721b774eL, 0x03645bcb63319adL,
      0x0c4f4583e105fecL, 0x1425a5f5f655e20L, 0x0643733e9c771caL,
      0x01a60cfb6a037d1L, 0x01b9c16d008d929L, 0x107701d99652aaaL,
      0x13109913723fb07L, 0x1586b82b899076bL, 0x0221a407e5f22e2L },
    { 0x0ffffb49114221aL, 0x027971f42bd3d7cL, 0x03903e951e1d2bbL,
      0x03adf2c2a485c5aL, 0x1bfe9b77ef3e6b3L, 0x01d4355914b29bfL,
      0x0ab1b0aa743cbedL, 0x0f6482509da48aeL, 0x1a3868917e721baL,
      0x1f7be00608bd3c6L, 0x1241c74c5816b36L, 0x153c0cb51dd2702L,
      0x18c442be82c2dadL, 0x1b6b95ac6ad89c6L, 0x0c0f9b66db0892fL,
      0x006e373a6ab9f1dL, 0x1ebab6d1eb0a170L, 0x04b88c54467fd53L },
    { 0x19c59a2cdecb5d8L, 0x1e40dd49d34335fL, 0x160411dd3efe020L,
      0x154040e16849c1bL, 0x0fbfb781e779a3cL, 0x1950e24e9a97dd8L,
      0x19406a2c36080fbL, 0x1e570b0c6f62967L, 0x15ba70a498a882fL,
      0x13980419d8377d2L, 0x100bd040bfb8aa8L, 0x05331404474b485L,
      0x0685c3fc72e4e76L, 0x1f297573edd15d1L, 0x03d17d9553f9d8fL,
      0x070f8616a80b44eL, 0x082d56a177aa573L, 0x00be03bc6a5b8fdL },
    { 0x06dff1d2735e37bL, 0x0272b32b762b907L, 0x12767aeea5e3262L,
      0x117413e78945eb5L, 0x15b0437740fa451L, 0x1d1765461fd0bbfL,
      0x0f50286877b3659L, 0x094ed1794e00a51L, 0x1f224952b18691cL,
      0x1709622f436afeaL, 0x16455cde1669a85L, 0x061341ff9c1cf41L,
      0x1ba96cc9a3723f4L, 0x0d691d1c2d46dbcL, 0x0fd7611b744ab80L,
      0x1dacd3ffd8743c5L, 0x0c6d6ce84e1a452L, 0x0090ceae42b8ff2L },
    { 0x1eaa67f262969ebL, 0x159ce9781f3b9a1L, 0x19455eec2424e8eL,
      0x1b1a2a04e9cc24fL, 0x0580bdbd0f82b0eL, 0x1a1f35ffffe56c7L,
      0x04759474f41d6a5L, 0x11029097b631758L, 0x095cd9990eb24c3L,
      0x0b530e83fd633e3L, 0x03dd8a8139ae1c8L, 0x1ac3974af990861L,
      0x0dd234a07a2865dL, 0x1d03c9fc9e14b58L, 0x18a7b39dbe4a0e4L,
      0x0de84e16afc3e17L, 0x0301314a82f7e62L, 0x01646bd596b2bf9L },
    { 0x1cf58920825e4d6L, 0x0f552b77c1da233L, 0x17604c4042377d4L,
      0x0b1ba12c7ec7cccL, 0x1df6436a229f89fL, 0x0f5dd3c6258a6ecL,
      0x1ce06676b91a751L, 0x1d6231556eeb49bL, 0x1da8978bd29e37fL,
      0x0e76ad556516bf7L, 0x03417719f5aa29aL, 0x1e1aeff09468d93L,
      0x0eed8cd59a7474bL, 0x08e9cc7dea21459L, 0x0882c46c3f47357L,
      0x09888b2c027b729L, 0x15896eb705a1b40L, 0x0114ce93ba584ecL },
    { 0x19cd58dc64397e6L, 0x0c78f5fb6e98f2dL, 0x0384fa7c76cab06L,
      0x0f1f9b8d18b0cdbL, 0x053c01fd405ae28L, 0x0edafb52594066fL,
      0x1e2837258fcb504L, 0x117dabaa3137d89L, 0x0336fd13d916ee9L,
      0x092d8d98216fa47L, 0x158a46b3801d39aL, 0x16904a62fd2a19eL,
      0x0b821c446be8d38L, 0x185b2c9a63d68e9L, 0x1283541c71104d7L,
      0x0d84d2e36e6dea5L, 0x18eaf9ffa5727b4L, 0x010d633bc8c9b30L },
    { 0x1420e3f2d7fbcd2L, 0x11239cbdefe0c55L, 0x0fe137d752d049cL,
      0x0c700f6fa692406L, 0x133c36256fcd423L, 0x19140a6fe0cd84dL,
      0x066e04f5bcdd683L, 0x138e12f14b206f8L, 0x14f3989970ff27bL,
      0x0070d22b0ad21c4L, 0x0d25a8f980bdd3fL, 0x086364c39439ff4L,
      0x1bee0164cdc3f1cL, 0x13fbdf4fb09108eL, 0x10b86ecc118fb93L,
      0x074ac02befcf125L, 0x1d8663d88d62448L, 0x0074760f387316cL },
    { 0x08ccc298a0878ddL, 0x00baeb320038d54L, 0x0082945cd85e66bL,
      0x1dbab1462b20689L, 0x08d221a1316d023L, 0x0e2471983c2dea4L,
      0x09dc6dd2cf79e56L, 0x0a685dc070498cfL, 0x159ef6cdde0b914L,
      0x01857144d91bf48L, 0x11e93125760c95eL, 0x02fda0ee6ccdc30L,
      0x06a294a32567b12L, 0x0326c1932c0c964L, 0x0c4f96ddaa83d5aL,
      0x0e7fbc5457a25e9L, 0x035d850c1c01b6bL, 0x0329d3cafae881bL },
    { 0x1e2898550dcb199L, 0x1c72f3fd015b067L, 0x1f0f25d80f42cd6L,
      0x1a4fe2636b794faL, 0x02b12d52b0e5288L, 0x1b92e39d53826f7L,
      0x0c44f881ac76076L, 0x0c6162507358ba3L, 0x014f970cbdb45d7L,
      0x0cbfc9f59092f47L, 0x15ce73b9f6a89b2L, 0x1a7e3fde41d37aeL,
      0x147c6a42b146ecbL, 0x13fd87e8fcca508L, 0x103692f4a27ad3cL,
      0x0f2ec2230da6334L, 0x15e083f65a5fb9dL, 0x0186fe23dea2233L },
    { 0x0fc5ae29eaadfe8L, 0x13f2a5a6a74095eL, 0x0b7e2d4cd584940L,
      0x08ad4d4429560e0L, 0x1059068ea2b9c20L, 0x018887d8d1efbd1L,
      0x038728d452c8662L, 0x1096f7c466d896fL, 0x017073ce63e2f69L,
      0x1708a5316efbd63L, 0x064afc1f5f0f221L, 0x1c17d635c5124ecL,
      0x15251849395da69L, 0x003d1d504c1d78bL, 0x03f88626b14a935L,
      0x04a022a6b8fb55cL, 0x0cfe16fe872397fL, 0x02b952c8faa6109L },
    { 0x166841909a5553aL, 0x0a18c193b99de24L, 0x12c8fbbf5a40fc1L,
      0x17e4424da9f39d6L, 0x0fed9578bd3cbf9L, 0x01836c36cb38e01L,
      0x13f96ee965f3b28L, 0x0ed6e0bdac27aceL, 0x1f1d3622b67f33fL,
      0x0de79e308e5c618L, 0x119f7394f46aa45L, 0x1253f2115687470L,
      0x1d8d15767a902feL, 0x0857e83db71f24cL, 0x02c643a050b6d72L,
      0x1349c2418df78d9L, 0x03c80c865532491L, 0x032e165f0ec6416L },
    { 0x04cda20a660bb63L, 0x01d8543743122b4L, 0x13d9ae83bb5c9f7L,
      0x0acf3ba2b0ec8e5L, 0x08452d4479c162eL, 0x1fabcf5b44213b8L,
      0x05dc20a6f1acd04L, 0x10725d42bd92a02L, 0x15e34e300477381L,
      0x01e51a4b9f0e978L, 0x13c7708a6f4f7a3L, 0x1e3729defda74b8L,
      0x0ddfae7a1a783efL, 0x0d04cc29236db9cL, 0x173d2ad0d4f5cb8L,
      0x111724a675ab141L, 0x166d80550160e78L, 0x0418a206a9dd3bfL },
    { 0x03e2e32f611b2daL, 0x13714e87d23567aL, 0x0fa2082cf035741L,
      0x0c3a7c89e1d12feL, 0x1fd27a66c45c28eL, 0x0f428bc94ebfb36L,
      0x1e375cd6e182840L, 0x035d47f9d307bc0L, 0x1c9977db5638ce1L,
      0x0441c17a429b59dL, 0x11e8f1932b7f181L, 0x1eff0428f6e2fc1L,
      0x0c1b411e3e3cd17L, 0x0c2fda36f4ab31eL, 0x1c467295ce6b23eL,
      0x0502a70a7339b79L, 0x1664a985a70e15aL, 0x028261d4536afa2L },
    { 0x0b55283b8fa53c7L, 0x07f9c284a3a7180L, 0x10710df3897e617L,
      0x01cb4253da469a4L, 0x0abcc6742983243L, 0x140f70b569c4ab5L,
      0x09c0a8b700075fbL, 0x17698478d6cce16L, 0x0b35e567ea6e8a3L,
      0x03859e7534b39f5L, 0x1ea70f9b8a3ab2fL, 0x09bcaa6f6fb50b4L,
      0x056de937dc2ae68L, 0x1c2182112f6561fL, 0x1f71482fcba9b27L,
      0x0d5ba7195efa0efL, 0x1d2c27af0b169f5L, 0x024b7234ce38e90L },
    { 0x014fc829fa93467L, 0x1bb420759530a5dL, 0x1ebd20cf826f0b8L,
      0x046d0d7b98cb379L, 0x01f3216abc85975L, 0x0040dc205fe8404L,
      0x1e4ef118ef6985fL, 0x18b7a03f50d7608L, 0x05a21ece62cd640L,
      0x1dfb52a1101eae2L, 0x103b7254459ede5L, 0x195eecb744d19d6L,
      0x09aeab51f9d67aaL, 0x186b431d45d06cfL, 0x1c1a54b052c857aL,
      0x0896a6a99b9b7cbL, 0x1e84f2b5ccfcb37L, 0x0099c48b98981bfL },
    { 0x068064045003cd1L, 0x00bde2257156377L, 0x067f7a394c53f6bL,
      0x138f9d52b8979a8L, 0x18f37e0181e34ebL, 0x04c8645dabbb169L,
      0x129efb3133ec098L, 0x1de178927f2a146L, 0x068074172543304L,
      0x1607e5935e45515L, 0x0a6d18ed17fa96bL, 0x0a5cabf7b7593cfL,
      0x060485dff44bb29L, 0x06f523cb2878605L, 0x178e8080b144135L,
      0x1e68ba59df412d2L, 0x1bd4c8102b46da1L, 0x021175ab9f9c19fL },
    { 0x0592eb6a6ad3f47L, 0x10fb6cb8a5d0756L, 0x04641ca05166c21L,
      0x04c9d4b006af83dL, 0x14b12723cf7c94eL, 0x1db9b53929bb562L,
      0x0f373ca9ae9076bL, 0x15b913d12419740L, 0x0f2e20cb45b0fd3L,
      0x1752d2a6b302cffL, 0x0fea2e2277e2f09L, 0x0fc2cd47e57fdccL,
      0x1c747312e140f1cL, 0x193cccff84ff5e4L, 0x1f4ac15f466e709L,
      0x05b8d53f776996fL, 0x182cfba27d7a0daL, 0x01b42a0e7961292L },
    { 0x10d3c9e22799d37L, 0x1bef2d67d199d28L, 0x063c203de56c6d9L,
      0x155f91bf849cd5cL, 0x0e842dc269b53c2L, 0x033ff43cbaa0db0L,
      0x161df569bcabeb0L, 0x1e5a04114077a0fL, 0x034b473f0654be2L,
      0x13e08157a8af11fL, 0x16fe74ab06bd239L, 0x14836d427a01601L,
      0x0a97e94c11e264fL, 0x0352c37a0b34bc3L, 0x1e49fa427633cb6L,
      0x14acc0e77f0d38fL, 0x134b89778802241L, 0x02cd2dfac911309L },
    { 0x1d1c91e81347191L, 0x00d5e75cb4cb974L, 0x1d9ea751a9fc61bL,
      0x19b54fa72e0f110L, 0x191b9aa0da93cfcL, 0x0e9e36045f74f8eL,
      0x00402099ff5e3e3L, 0x1f7f270c1a12845L, 0x06a6a71aadadb47L,
      0x055035bd30ab7c5L, 0x0c1780e6122f267L, 0x046e5555226b543L,
      0x19b13f3bd136ddcL, 0x05662fa6bbf3f03L, 0x133f4da342d72f9L,
      0x1c1f009b48bf130L, 0x19cf14ef618d3d3L, 0x0233ab260a1f5bcL },
    { 0x1725904b6fff5d7L, 0x199d7c96e23a946L, 0x15d5b482e2a80dfL,
      0x028775d873212baL, 0x08a2b9b032235fcL, 0x09ae30d17f5a57bL,
      0x1d21987140c6253L, 0x1e759256d45d50eL, 0x08eb48b15011bc6L,
      0x147f09463cf6e59L, 0x06f032974a801a8L, 0x0e645e2b70a13eeL,
      0x0c7a036218f3167L, 0x07c0f04f7f46b94L, 0x1f143641a3ce72dL,
      0x03c062ee7e02cf6L, 0x0d50d0f7adbed6aL, 0x04506f70b2774c2L },
    { 0x04991bf47366e6fL, 0x026cff4361802a8L, 0x1d46903338dae02L,
      0x0c7e32c3c429898L, 0x00445e43bbb46aaL, 0x0f10afab53c2fcaL,
      0x002376e346d5f24L, 0x118d51c8a7d8fddL, 0x1c0367ef8bbaa1eL,
      0x086c8f8f1f0c084L, 0x13f439f8828b0ccL, 0x1908aa9984eff2fL,
      0x1d7b628403f1e80L, 0x1ff050be744dde0L, 0x1c001cddde2a598L,
      0x17da53d3b633f83L, 0x0232ce7fe7db6f6L, 0x03d825ae9774be7L },
    { 0x1546bc782c5faf8L, 0x1a62f475c084badL, 0x01879de1478069cL,
      0x07d2adaa3e7aacdL, 0x03c3c37c833a101L, 0x00a476639a8b98eL,
      0x1bd0581dce3ef83L, 0x0ae5d8de177c377L, 0x00aa2ac6ecfa518L,
      0x194816bb371d6f8L, 0x154227188b5b8c1L, 0x16474dbb005f9a9L,
      0x15338863723ae21L, 0x146c0c1172a32d2L, 0x01a5deb61446682L,
      0x04e589e29a0646fL, 0x11c515b081c9c7bL, 0x00e354ad264cdf1L },
    { 0x0b14ad5c2821363L, 0x00c11a68bef0e53L, 0x0b1332b7a1220a7L,
      0x1304913c4f5debaL, 0x1081d927f412ab3L, 0x05d68fc964e04c7L,
      0x07ec5be1ef7d1d7L, 0x0ede955b570343bL, 0x0475a7923b75f3bL,
      0x0ee856b6dddd47fL, 0x1d85912dc2ad166L, 0x1102697b35e306dL,
      0x0eba9abda32a464L, 0x132b12fdae48913L, 0x06392f933b21c27L,
      0x10f39a967233c10L, 0x0c9a5c09c8414f6L, 0x039384501185432L },
    { 0x133c0b1f34a466cL, 0x1704e3fcea2dd27L, 0x1fb838a1e17286eL,
      0x0d21101103ae1e1L, 0x1b043da3824c714L, 0x037a197120b6155L,
      0x0f871ccf69c4f3bL, 0x0ca56b20c9392f2L, 0x0db62d5b0b35c93L,
      0x0af5b711f2e0d95L, 0x02d73aec5ad454dL, 0x10d3ee12d2399fdL,
      0x1b61a85bd59e081L, 0x1d7081fbe432fcfL, 0x119fa77c5a74f33L,
      0x0a2272a4b88e6e6L, 0x1217db55c0b4369L, 0x03a48e3a639932eL },
    { 0x12ed5bf80d2b94dL, 0x16319dd25930598L, 0x1633588866846e2L,
      0x175d70591d590d8L, 0x19ef9ced317ccf6L, 0x15e6ad16fd94f72L,
      0x0c8076a9f626390L, 0x1b927c52b90b2e9L, 0x069e75784d9fc5aL,
      0x162384f809551ddL, 0x0a7cdf2174f2e75L, 0x1c4ba7ba957a3fbL,
      0x010b3ba22ee5487L, 0x03746e5d807ea58L, 0x19a19932d64524fL,
      0x0d6ed6e653f5779L, 0x0416829d1c26890L, 0x045e7e9f2ba0bb4L },
    { 0x0882734d3c8c314L, 0x0597888c3841983L, 0x1f0f01a2e85a57cL,
      0x10ef248f0f726feL, 0x1f9922275365e0dL, 0x0ffea78aa93f2f0L,
      0x18e24281a59209fL, 0x15bab167be45eb0L, 0x183446b896af20eL,
      0x0ebcb85a83a312bL, 0x034819008a9a442L, 0x115ece3d86f3b3dL,
      0x09057fe91ed1e5fL, 0x0944820c37aa128L, 0x0e4cab7c5376a05L,
      0x126f17af0021c3bL, 0x1493e18d1e4905aL, 0x029e56e7bde9bd5L },
    { 0x1b5edf75e53d0ffL, 0x1303644455fb38dL, 0x03e04881b457621L,
      0x0bc456d466c9236L, 0x1173b317b301834L, 0x04f2cad5d33ca5dL,
      0x093463079619df7L, 0x0a69c20c904472cL, 0x061752e59da55ddL,
      0x0c5a755cf2143ceL, 0x19e12d247cafb40L, 0x13a43cf2853d95eL,
      0x0510f262243dcdbL, 0x1328762e1b4a0a4L, 0x06a5d8041bc642aL,
      0x0208cea854b5d6dL, 0x0b169bd75e9c32dL, 0x048424cb25fc631L },
    { 0x1390cf65a93c661L, 0x031324edaf82b58L, 0x0a7694685e20612L,
      0x1ecee5bd3525527L, 0x1c71487c1b0cbb8L, 0x11211f3733ff5ebL,
      0x10be3e6d0e0b539L, 0x1e52dfb4a1d76b4L, 0x0c921b3376089a4L,
      0x0e996bdc3af628bL, 0x1b4b2b1040492d2L, 0x04138843f6f57b0L,
      0x0bf6b7de33f6862L, 0x149e49341f0ca4dL, 0x171330337b863c3L,
      0x01a45a9db7abc11L, 0x1e8c2b75be47358L, 0x01ebfb7fd23466bL },
    { 0x07b290cdffbd5d1L, 0x0ced34b819c6ff5L, 0x0c2243fbb72675dL,
      0x0a85b9cd1cacd01L, 0x12ae4d82bc690afL, 0x0cadb0428cef95dL,
      0x087d1584919fdfcL, 0x066cb346859b078L, 0x055771bf5556516L,
      0x1e3449aaa45d2b1L, 0x06480e524bc8e97L, 0x11c73938c02f6a8L,
      0x14511e601956752L, 0x0e8b52aa9f83276L, 0x152afb8c0fe7ae4L,
      0x09cf87c3189fa44L, 0x0e640994d6ffd43L, 0x047d8969fb6ef3aL },
    { 0x06381a2293cb7a4L, 0x104f85c3dbf26b6L, 0x008c1e2b0fbd14fL,
      0x00af195d229e425L, 0x116ba4dde89ffadL, 0x1ac0502515b4b53L,
      0x04c1c51a06853dbL, 0x11226b1f2f6985eL, 0x1878969962932fbL,
      0x0eec28513452d7bL, 0x1c7db7f88e7e0caL, 0x1a5c9e8e933b5eeL,
      0x17867ca0e95f20fL, 0x1bacc0f64db21f3L, 0x0ac725f9e163b34L,
      0x068a77d28d4b233L, 0x1b14f9303a206ffL, 0x01fe63398bae91bL },
    { 0x09debd5df21f920L, 0x1870fe0a00dc828L, 0x0ff656992abfebdL,
      0x0a586f424448539L, 0x1deb926bf212085L, 0x19f8ee0ea649fa3L,
      0x0f1184bcf93027eL, 0x1a4ac10b4b2b6a3L, 0x02a2f5d62f10fdbL,
      0x06eb167ef8659e1L, 0x10928dac3c952d8L, 0x00baac8c256e2a8L,
      0x0fa1f5249cc3a5aL, 0x1f3150c45f5f186L, 0x10a64e493b1a40dL,
      0x10d0aebe1f7595eL, 0x034d41345dcb3faL, 0x03228a37ee38a8eL },
    { 0x0ec633aba1924f9L, 0x1789b00319370f6L, 0x1eb1f943f05eee9L,
      0x13de7b1c00406eaL, 0x11dc5a74ca53191L, 0x0a095c4aa2d3552L,
      0x14001b887563f4cL, 0x1860378600af763L, 0x0f1789c696ed1a9L,
      0x17969afcc2c7d24L, 0x1426e6065efa15eL, 0x0eaa53544cba869L,
      0x07c058fa801dc07L, 0x0a5d0a6765681dfL, 0x01429d24b5c2a7dL,
      0x0bbb4db8f0a0ad8L, 0x12e2a7ca4a94d00L, 0x022469eb955fdcfL },
    { 0x056f14529b33989L, 0x1a8de54d740ad6eL, 0x184d2c1d10521a0L,
      0x1479b3e67767e8aL, 0x1ff6e4a3955ce42L, 0x07554889d6f2762L,
      0x1bf7f4eab1c5694L, 0x01418c3d932accdL, 0x1108a28b8f6a447L,
      0x0177ac272a42264L, 0x16c58b438bccdd0L, 0x063f68def979704L,
      0x0c96f2fd893dcd1L, 0x12c9463c1040bc7L, 0x18f11653631759cL,
      0x0613e50b467bf32L, 0x1a572497175d92aL, 0x03b440a3ce5b80cL },
    { 0x043a11491767eedL, 0x0dcd6c95fb2edddL, 0x13800e978869784L,
      0x025466a82bd1445L, 0x0a9ead626360442L, 0x195772e162b1da2L,
      0x1875d2f01899282L, 0x0baeb71aaeb17e5L, 0x11cff0ee7d08a26L,
      0x1c8a70ed85b8953L, 0x0497412c61a4b45L, 0x1e98ad99d02b86bL,
      0x1c9fff0e3ade253L, 0x0ed5f68cd23c920L, 0x1eb941942e741bbL,
      0x1c300ce26a4c0b3L, 0x026f37600fb532cL, 0x03387580e2f2d43L },
    { 0x173c0af73cdbb43L, 0x07662bf9218d6efL, 0x1504a868e1173c2L,
      0x052449bbe322f00L, 0x1eac7eff69a104fL, 0x16899121a979c6dL,
      0x0d1dbf0eced39f0L, 0x1e14d3d28616bc9L, 0x07d932340975a46L,
      0x049c4cf2eb27767L, 0x0849436c8d17a60L, 0x1264fe96f2d6f70L,
      0x154bb90b1f23552L, 0x08897beb1774e60L, 0x0eab8c87ea723d6L,
      0x02cd45a1e5f3039L, 0x127b77f03660075L, 0x028242973b1aeffL },
    { 0x10f3ce5a2f392faL, 0x003b57636483c17L, 0x1a4a12eaabd8c9bL,
      0x0797d1d3275a03bL, 0x0d950908b01b16dL, 0x09d79c38982e121L,
      0x0a68319bf585ce1L, 0x04eee6a281da788L, 0x18a31b12a1fabf0L,
      0x029800102c598bbL, 0x1f67f2a71f7ae68L, 0x0d37d0ccfa6157fL,
      0x08e9a9e13fd05efL, 0x1c8f574e179d398L, 0x0339b10fd326866L,
      0x1f160a1a19dcec3L, 0x0c4fb24dc405240L, 0x04c97f0a8fbf486L },
    { 0x054db3138f197aaL, 0x16b4ec3c397cc22L, 0x1ec113c2a0a2937L,
      0x1d463c918d2f684L, 0x1d98efec9821e1aL, 0x0659d771c6584feL,
      0x155cc82e13ea120L, 0x0d774b769508e8eL, 0x0a9be080acd50e9L,
      0x0228f4e77881aa8L, 0x1b9d7f1104c9731L, 0x1d30714bc67ac4dL,
      0x19a2b0abd26eea5L, 0x0db04154b990df5L, 0x0af30ab2a4b9212L,
      0x173f63b902d1532L, 0x1e0134ecf4b9c8eL, 0x02d345fd4262db8L },
    { 0x0ff3b45ff0a2bfbL, 0x0fffcaa817c585aL, 0x02156c70309b441L,
      0x161a773a0829bcbL, 0x026d3917ed16865L, 0x0d9e0717ad12298L,
      0x03cb9a88bd24fd3L, 0x0c290e2a915c483L, 0x06ab363a8509befL,
      0x0e50f1d5c65ddf6L, 0x03726100468e5a4L, 0x1c141ab94aeee3cL,
      0x0581897bc1ff982L, 0x042d6af3f5a0582L, 0x0cdedf12f092918L,
      0x0c51fa2b91f414cL, 0x03956ce6ef7bef1L, 0x03c567efccfaf7aL },
    { 0x1bf7f15f8520189L, 0x1015063bfb0e222L, 0x1ae77e88b86e550L,
      0x0e3e94690e73db8L, 0x0814cc52d2d6026L, 0x14f891e6c99c94aL,
      0x0dbdf79da849017L, 0x1c1c460dd415c6dL, 0x053815218b83a58L,
      0x0315dbb5020918dL, 0x0894f2fcc6f9c66L, 0x06646fbd0c3fd1bL,
      0x1690ae48902dfc5L, 0x05d53769792e49fL, 0x02d28a59af2e3c2L,
      0x19292de215c1f21L, 0x1668cb4b48cb061L, 0x0056c96b9e83ad1L },
    { 0x1b95fedc2ca548aL, 0x063104066c4d5dfL, 0x152cd19b0a011deL,
      0x07a97d12057d322L, 0x13e681edea3be09L, 0x1a00b0c23dbcca8L,
      0x1ffa3c8aa3d2c0bL, 0x1ec7de5969a95d6L, 0x19adc5151b3aed5L,
      0x00e67e8cc6188b1L, 0x0b05ee8f5f623fbL, 0x09a68c84212fb85L,
      0x1794b90bcf08fa6L, 0x05a854f5af5fc05L, 0x06a99ac6de2d2e8L,
      0x079da349fd2684fL, 0x1ae8ef4dcaf075bL, 0x04addec50385374L },
    { 0x1f92495e614bbd0L, 0x1d443dc11f1b1acL, 0x07b3f06f5a9dd59L,
      0x0f1d06b885c48f9L, 0x0ade066a2bfaaf4L, 0x0b699b18a77a705L,
      0x18e241caea98d70L, 0x01ff48538e3c5e1L, 0x0cac1e5d0bd07d9L,
      0x0ff9af528a7ae02L, 0x014ff301553b05aL, 0x0d6e546b28ff126L,
      0x002aebe487ab1d8L, 0x0fdce790f14fd83L, 0x037f3d6828435b7L,
      0x0f4555a28e0b3e4L, 0x119480dc66fb886L, 0x01bad4427e092d4L },
    { 0x18cbe2e1217f7eaL, 0x10f1543ae36d58bL, 0x1b006f6c6950685L,
      0x01c9fae795eee0fL, 0x113a0d86678864aL, 0x0983345d75e3326L,
      0x1654100c97e6723L, 0x0cf727db3925e38L, 0x1fdf36763541e06L,
      0x0cbfdd85c8d33b1L, 0x09a7a981e72683fL, 0x19003d55188e4d5L,
      0x01afa63c55c7303L, 0x07e8956def63ae4L, 0x1a20e2807373789L,
      0x0a6f33fc1bb4e32L, 0x0ec66bb093b3841L, 0x01346c0c58465c2L },
    { 0x1dae35841580555L, 0x19733a39e881db9L, 0x004efb3306ad3f0L,
      0x05649dd3bc48182L, 0x1fa8e066da4099fL, 0x1c6bf71bd865adcL,
      0x00502d6b8139190L, 0x0f0fefa62c856e4L, 0x186ef4edb339e4aL,
      0x0f3bf769d3ec1baL, 0x1eb4def5c1f0ba9L, 0x06741f2f2313107L,
      0x0a2e7a208e816b6L, 0x021aa8b57126014L, 0x17cafd445c7f8f1L,
      0x074ac7d7276669eL, 0x04b8419ed4b01b5L, 0x0458139ae02b652L },
    { 0x09bb464e1019195L, 0x0601379fe1460dcL, 0x19b8aff0ec84779L,
      0x15237bf25f58241L, 0x0d995bc9ec71bc5L, 0x048fff242ebd5a0L,
      0x189965f19da3b99L, 0x185b2aa5a335f79L, 0x1bae6c7fe8e1b76L,
      0x13ec140ebf1d68dL, 0x126be57a625cd05L, 0x0499141903047c2L,
      0x1bc3006c0dd1f00L, 0x0c3b9ea67ab8ffeL, 0x0d50362ccbb3df9L,
      0x0a084b0454f05faL, 0x1fe5ab45c3f0436L, 0x020071d5025a6c2L },
    { 0x13216495e46e4a2L, 0x176b21209b03a23L, 0x0ec7183b1df4de8L,
      0x07cbc1585ccb244L, 0x05107ab75e13aacL, 0x0129eded0be20deL,
      0x08a5996c8bb25cfL, 0x137fe70cf714a02L, 0x1fed660d50621a9L,
      0x1e14283644fe1faL, 0x0d42e7c591469e8L, 0x0064cf96b0de7daL,
      0x19967185b127c3eL, 0x0509804de403e3bL, 0x0bc7d3427055f51L,
      0x143306c5eec8f5bL, 0x0394a42b9acf3a6L, 0x0098e1ed146d370L },
    { 0x0785ff1a7da83baL, 0x0da12e827a21b25L, 0x06f7b00fe04bd05L,
      0x1501ebe944f8113L, 0x1da251b9c58d411L, 0x1d97991e996b087L,
      0x020f266ed141334L, 0x1fa33188897e984L, 0x060c261af730e83L,
      0x106526fe5816dc8L, 0x1e0e2e77c79f201L, 0x1f2f898d21921feL,
      0x175d75f1546b79cL, 0x0e58747f898a8a6L, 0x105d8569f01d3c4L,
      0x01fe17241558365L, 0x0e9de8098ad44aaL, 0x038e8d2351a2a2eL },
    { 0x0178f76fa1b382eL, 0x07661bb96ed06bbL, 0x0cab175344c2836L,
      0x091ae4c45954b55L, 0x0a3bed0627d38baL, 0x1e7667e2a086db6L,
      0x18f5fd8de9621e4L, 0x0823ecbb5fadccbL, 0x1c3b44a8560a456L,
      0x1a3d9d427bc2a05L, 0x1f6b75793583d83L, 0x12182fa76dab049L,
      0x1f325fc13ad8ccfL, 0x1b247d5c804755eL, 0x114b52cfa435c58L,
      0x0159672c9fe7449L, 0x121b95cc416533dL, 0x0366934cf88b3faL },
    { 0x18c0b3b12f4f3acL, 0x0e7f14ce8defd96L, 0x13e0c3cdcc9ac0fL,
      0x06f8b51904a8006L, 0x0d8f144222dd689L, 0x0ba17975b849e86L,
      0x16b76249e569d61L, 0x0bdc2be505810f5L, 0x07bbdc74916ab7bL,
      0x187f205d2c565daL, 0x105faf8aeb0e6f4L, 0x134d8c3409781bcL,
      0x0df27355694b4b1L, 0x18558cb7c99c61aL, 0x0232597a3c0dd08L,
      0x1704df45df970d9L, 0x1c219eee274c7eeL, 0x0193e031fed1a2eL },
    { 0x1399eff5b47cd53L, 0x0c34e8ca1d77f55L, 0x11ec500aa19aefaL,
      0x156384b42dcc9d9L, 0x022de271c3e7c2aL, 0x16b52fe210b5bc8L,
      0x0ccdb9637f320d9L, 0x0f9a2b2a13db502L, 0x0370400f2130bfbL,
      0x1f2702cc9da43c0L, 0x0e87f8e7cf34886L, 0x0565dd969f0e0c4L,
      0x166c27b83b72aa2L, 0x0d2fd2df8d7a624L, 0x0c06bc9e90aa52fL,
      0x0225935f7504491L, 0x056eb6b9d2a3670L, 0x001078ce8e06fb4L },
    { 0x1051a86a4dbba20L, 0x075e36d8ef2e29bL, 0x086799496102d86L,
      0x1ba579989b34f01L, 0x10285a249440302L, 0x04313474ff811e8L,
      0x0451cee4dfb8ce9L, 0x19fc6fdc5e499acL, 0x079fbbfd3a3d057L,
      0x1dd0b69e66ef7e7L, 0x0163b16c8c5c9d7L, 0x1d7ce41875b722cL,
      0x068b4f6bba47699L, 0x18c503b81313a1cL, 0x128458152c024abL,
      0x11ec133a121d759L, 0x144f757e1ff0c88L, 0x03cf39390580282L },
    { 0x12acf252820a239L, 0x1cba75573598831L, 0x1ae92302877ec68L,
      0x12b47dcf55ac3faL, 0x1980446dd2453c3L, 0x0b33b7aa422ad05L,
      0x1d6867ca765ef78L, 0x10be4a59418f126L, 0x1e961af3e7743a9L,
      0x063ce2b3366dec6L, 0x0e153b2f14e3e5cL, 0x0e75424d0a38294L,
      0x052a9f558c58daaL, 0x1de8af02f4daddaL, 0x0864e74debdfe0fL,
      0x140ad4890f24e71L, 0x06de428b2b59511L, 0x0000e9e71b80ac2L },
    { 0x0be36b9e145b1d7L, 0x1c9c5004e2b326bL, 0x19f79f03db6fcf8L,
      0x0d8687ea725cac5L, 0x190897b1951044eL, 0x17bcbe52d5b15c6L,
      0x0a392c687dc2d44L, 0x0bb239baea8ea1eL, 0x1b4c80e2fffb816L,
      0x0f69ce3aca68159L, 0x0a92755a0cfb719L, 0x0979e6d27431982L,
      0x0afcd2c404e7369L, 0x08ea00ca1a6609aL, 0x16179181c6f57f0L,
      0x0f4080aeb208ff8L, 0x084b3280360790bL, 0x025dc637e2057e3L },
    { 0x120e2ddfd0f8796L, 0x05206d899e4ef18L, 0x1b02a4da71b9a5aL,
      0x0cc00e4e77fd46cL, 0x0cb8143937e5b6dL, 0x15e0029cf276784L,
      0x0d4f121ffa7367fL, 0x1d7d715e8880333L, 0x02f124e3b293519L,
      0x10610c564164e0bL, 0x075bc9c27716421L, 0x0a8a6daa0a5359aL,
      0x1959120bfc5696dL, 0x087fd348601faefL, 0x10ca09e668fa234L,
      0x0bb13a9f39f4ad8L, 0x0782e8fea9e9a13L, 0x01b4cd440db53bfL },
    { 0x1ca33721eb1c64dL, 0x19d16f8e940aa2dL, 0x06cd94dc41bfa73L,
      0x029ef97e9b6fc5dL, 0x0058b37f06c1715L, 0x1a74e2e5ef20b71L,
      0x0e9d60b14e9fa20L, 0x00529b7bfc5d358L, 0x1795ec6cbc5e67cL,
      0x011e12f8a135406L, 0x134835aa353e7e3L, 0x14a9a76f846bdc5L,
      0x003d7a4d52838daL, 0x1c0e5a39dcf0476L, 0x10c72ab2a51d7a5L,
      0x0a30ee4e3e73cbdL, 0x18b1df08e9f8253L, 0x0279d258190457fL },
    { 0x17b81071ed095f8L, 0x1bfd36d1136a707L, 0x014abecdb4748f8L,
      0x1c0fb1c623161f3L, 0x03e0f16eb114634L, 0x0f761bdcb1a54bfL,
      0x087049152ee7108L, 0x0f969d9abb7ae56L, 0x0f96038686df20dL,
      0x1a9acfeefc37051L, 0x1553e96b1222aa7L, 0x0957a2093be9887L,
      0x1eb020607a56d71L, 0x1d01192f098a959L, 0x0ba136d26f87061L,
      0x0f70089e49e94a5L, 0x1fd9e525c030b5aL, 0x036c3a2235368bcL },
    { 0x09d07aabe9a42f5L, 0x098b61bc0e66469L, 0x09b6771a7a847f5L,
      0x1f11fdd234e34ebL, 0x18d44f124e19e0dL, 0x174a724ce15a6e7L,
      0x1330817db7e48c6L, 0x1d64ff750ed9e51L, 0x06e1a0f01f57f7cL,
      0x01f8f9a79fe9dbaL, 0x17129d0b07484f8L, 0x04e0fbd70b0141dL,
      0x1faf0848bc5caacL, 0x03d63ace87aebc8L, 0x13f14c45fd452b4L,
      0x01e7b2b472e6920L, 0x00995a4aca97bb7L, 0x01e79c264ffce2bL },
    { 0x00506bace1fc9e3L, 0x10ba133b581ccb8L, 0x0e379cafdecd25cL,
      0x10f36413ee56943L, 0x0e26a8e1ca8602aL, 0x1279cd482c05c86L,
      0x18b847bcce6dff8L, 0x1e96d8bb322c526L, 0x151174e1a577b24L,
      0x1c07e5a82f228f4L, 0x05ebec520c86f7cL, 0x0d76e8fcba55e9bL,
      0x05be99a60809980L, 0x0a2af41042a92ebL, 0x15829949920a367L,
      0x00ee11918a80bb0L, 0x1263c67e73c7103L, 0x0159244287739efL },
    { 0x173cde68541159fL, 0x1260c27da085910L, 0x18647cb2871de08L,
      0x0d51647c800f450L, 0x06b2344a52c207dL, 0x1694a2838d01085L,
      0x131b36c3961f2d7L, 0x172d8ad71df021fL, 0x11248c58f62d843L,
      0x1c81b1eba6334baL, 0x03dfcb99b19bd92L, 0x0883824d797cc69L,
      0x0373ce49e8b2f9dL, 0x140d86f85603f95L, 0x118874549219d63L,
      0x0943942116a9a3aL, 0x01517261ece7441L, 0x049c59de6351d61L },
    { 0x1e4a16be4ded340L, 0x0fd954074401b54L, 0x181b735ceb2e399L,
      0x09554caf532e112L, 0x09101b061c3a043L, 0x05db2679827e2c2L,
      0x0b7d7983ed86b68L, 0x0bf031855d9eaa8L, 0x17402057656f76dL,
      0x0b35bc849299ecbL, 0x195795d35bad7edL, 0x036b4ab6896f5c8L,
      0x1b93747ea560f7aL, 0x196d672b3cb80bcL, 0x1a0f01a2b9f83a3L,
      0x0e683308e8c0f09L, 0x16b24e8c9ed1530L, 0x0367fac52ecf44eL },
    { 0x08c01b003e51f68L, 0x0f9128e97f3eb28L, 0x142c26f62017874L,
      0x1407c82b6fef331L, 0x007d9798255e907L, 0x029c4b68a4233ebL,
      0x143d01570ec7a6dL, 0x1b86a002027013eL, 0x0fbbb2fa6d0233fL,
      0x1b405857f8c105cL, 0x101370e34c5f802L, 0x088999918fbf63aL,
      0x066ec13f84133d5L, 0x023717243fd423fL, 0x18eceb30cfe0f60L,
      0x0d5ee78c4ff8a90L, 0x1275f67f8aaeb93L, 0x02ff2564798dbc9L },
    { 0x01aa4bf8b6f401eL, 0x18951d6ae3f6a2cL, 0x1c99bec1ed28176L,
      0x09384579a8f6030L, 0x09371c95fdd11f0L, 0x123757aa2a53ea3L,
      0x05b4019b157ee66L, 0x0b830c6f8f8ffdfL, 0x0bafc1d346b83e9L,
      0x0e1c2c9805da16eL, 0x17b0acd39f9c495L, 0x1f6163099dd1bb1L,
      0x0249a2786469c9cL, 0x10087973c6e6062L, 0x1de9080a43657c8L,
      0x17b5b0dc4a992d2L, 0x14820931c89eb2aL, 0x0409bb8b2090e02L },
    { 0x066b25e9c5a8edfL, 0x1c461083c53d6b1L, 0x0df521dbbb7db84L,
      0x12c4e88c2ebe04eL, 0x1385382a242fa7fL, 0x1b8df79f167decdL,
      0x02a4aeb6b5ec40bL, 0x068ac5579f4cefaL, 0x0573ebd1751fdffL,
      0x1fb2c293e12863cL, 0x1c5bbb11f2a25b5L, 0x1360cec4593dc19L,
      0x02f8f2c0758ccd7L, 0x1300428a98fe2c4L, 0x1a316ea48cacdfaL,
      0x08dfc9af766c305L, 0x198bf24735cd2f1L, 0x03ce140774e696dL },
    { 0x1cc8203f2b48122L, 0x0248b582562475eL, 0x13727f12217aa30L,
      0x0f0582003959e0cL, 0x076de250ab83899L, 0x0d5c10399cf390bL,
      0x12cb85ea96baa38L, 0x06049a51940d782L, 0x0570c5bb7816b62L,
      0x02891ae67735b03L, 0x0fe27c60fab909bL, 0x078d38cc4e96365L,
      0x06b51e38bc3e3afL, 0x19f2071df058221L, 0x0f96f909b6f1639L,
      0x1e8107f3baaf16bL, 0x14f9fd9f79152c8L, 0x03ac039d254f1ffL },
    { 0x127b0578691ca22L, 0x15feb09d150db3eL, 0x0e16b1e5504fc81L,
      0x14eaa6cc0fd097aL, 0x08a0e24cc5d18a2L, 0x03a6de970b36f3eL,
      0x010e95b55d430f1L, 0x065bde8898226cdL, 0x114646e53cf4b84L,
      0x1e0681854fecbc1L, 0x132090a5fb880d2L, 0x017ffaf7cd8f7b4L,
      0x1608c7f3ff3d0b1L, 0x1a7ea6229690b23L, 0x1a784101b949666L,
      0x1a65bf7573f4293L, 0x0a89342a7fa8661L, 0x01f9f1a2c7d7b35L },
    { 0x1ec35af951597aaL, 0x1ea5624efb275a8L, 0x16726fd3bfd6d9dL,
      0x12a2b4526a04ed9L, 0x1d9bb9c3423eca4L, 0x10f84e4534b2a9fL,
      0x17e63e67ba77fb7L, 0x06571f452ac333cL, 0x1b763875835292cL,
      0x19a76ee7e20740dL, 0x157a7d9515f6561L, 0x047c618f1a57b05L,
      0x0cc1433d67c8ee3L, 0x1e418a5773bd972L, 0x038bd8d5b67e01cL,
      0x052bc883ddbc454L, 0x0ef1e9e17ed6c48L, 0x0320690621a614aL },
    { 0x09a0b8e3284d513L, 0x01aa2f98a829d27L, 0x101d16b354a81d3L,
      0x183bca1b6f66dceL, 0x0549fc46d80bdcfL, 0x1f83d446cea3ee1L,
      0x15308a6dbbc4cc0L, 0x0e69c8c3594da95L, 0x1ca8e351dfc9f1bL,
      0x1e204a6aba30732L, 0x00accc3ccb4d9e2L, 0x096c50ae85d16c6L,
      0x11876c29c369a07L, 0x0895e8bd6ff2958L, 0x06a98e7ce791826L,
      0x00b831dc81acc69L, 0x016b968902ac72eL, 0x007ce0e54606c94L },
    { 0x0bbaab367433df3L, 0x129a38ae9b1460fL, 0x03625fc31732daaL,
      0x16cbc811f227464L, 0x1537345172c918cL, 0x06e504a5b1c42a6L,
      0x04c99cc4e668c2dL, 0x1119e4ace601476L, 0x15ea60dfa6608b3L,
      0x056ba583d9486feL, 0x009e275da53e6d6L, 0x1b716cc61f63064L,
      0x10c65e3eaf48593L, 0x1f3931fc1eda3fbL, 0x19bfccd8e527244L,
      0x1048137359d8dcdL, 0x0c534bd9ba7098aL, 0x03f18e097a2e9b7L },
    { 0x0281d680dfd2dd7L, 0x165801255b0ec5fL, 0x017e510c7e5c7beL,
      0x152b39677973860L, 0x0ffbb406660c8dfL, 0x14d086feeafe186L,
      0x1f46de918c6f9e5L, 0x0ec66dc613dbc27L, 0x176b3bfadfc9470L,
      0x148c92eee639111L, 0x1c35cc55b13b87eL, 0x1c821c566e8ee83L,
      0x13efc4d93c4f64eL, 0x1e27dd97435f496L, 0x1f286ef14edf80fL,
      0x174c15832d9ea66L, 0x1574de41a307e23L, 0x00d10ce229936a9L },
    { 0x1cf7ef8aa4db0bcL, 0x18c033db64cb1feL, 0x019cf62864bcb88L,
      0x05ffb8eee384c72L, 0x02fc0edbc0cec2eL, 0x063021ccbe471adL,
      0x00481e3843b060bL, 0x11dfa1bc5965619L, 0x14d6c457f69e57fL,
      0x09f34d92da9f8e1L, 0x08cc2b13e272e25L, 0x06532aacd7cc845L,
      0x0d437442d192ff2L, 0x1f534a01b9e6a81L, 0x00c198bc1339642L,
      0x17f26d582a6fdf0L, 0x12fe02bcf77b6d0L, 0x00bd554ccde480cL },
    { 0x13d56438e55db2eL, 0x0f7219dca342886L, 0x03956e2118be0d7L,
      0x0bd42fc4f834288L, 0x1d95f7a9a6ff3b3L, 0x0b396791fcce1b6L,
      0x11701c85ff766f7L, 0x04be801583dba40L, 0x094b55c874ff06bL,
      0x1225072872524dfL, 0x097a46d0eda04c2L, 0x1bc2429f2d8bd12L,
      0x0c0f97fa9778bedL, 0x12dfe93387a2b52L, 0x1d823be8a3f61aeL,
      0x0e97876965b1f7cL, 0x04afbd5ff8c2264L, 0x03594157852f9d9L },
    { 0x0fc025f6341a595L, 0x01c6b5222f1463cL, 0x18f7ad11a109647L,
      0x06eaa8f066e57adL, 0x083e16c43f9466dL, 0x13d65a488a0a698L,
      0x1ed905176519a56L, 0x162205bbe131fa5L, 0x02a2b2d2d0bfd87L,
      0x0f4df2e2ca2a844L, 0x1e2fd2a0091779aL, 0x1ad16460d61ddc6L,
      0x06c2be9f3d80b0bL, 0x04016122bb52a2eL, 0x104b7ed0a7459edL,
      0x12ec427cc884e56L, 0x0bfb664f529ee8dL, 0x036a7ae91aa3837L },
    { 0x1c8f2b600ba9f88L, 0x003f03ddb685f9aL, 0x150acee0796ff72L,
      0x1d4f58f03c1424dL, 0x137dcba6335ce6cL, 0x04b2439f184737fL,
      0x10d340a3729898fL, 0x04ce5d74afd1030L, 0x1a9e3d59f79b78aL,
      0x17853ee9783d751L, 0x1919e093417dd34L, 0x02e0022dbd6dc1fL,
      0x1258f37580b2085L, 0x1a0385d9ce152f4L, 0x05df6439e2f5e95L,
      0x10368aa3f90e573L, 0x0ad6eda93c440dbL, 0x0255785a7eb2e9aL },
    { 0x1ef25063514c7afL, 0x13ed6de0c0f56cdL, 0x1a1e3e8fb162c27L,
      0x0a2e770d0bde795L, 0x121d32ddd8dbfabL, 0x0ce233592487e04L,
      0x16f6d3bbce1ae2fL, 0x1b7839baa5f40c3L, 0x064de989a25bc04L,
      0x17cc1b5c2b9431bL, 0x16a0122f912a801L, 0x1c9c12e0318e234L,
      0x17b2c11fb116dedL, 0x1390f66cb95762bL, 0x1afcea45136b786L,
      0x029aff338a4d7adL, 0x137a1d4165b1c2eL, 0x045965e9cc15e31L },
    { 0x0ec1bf28a52e991L, 0x1017b67cea17614L, 0x04c318d3a9142e8L,
      0x078aec5739060faL, 0x087c2a2d3fc257bL, 0x0ca4455e994c68aL,
      0x01b4b2853c69e8cL, 0x1138e1952760d74L, 0x19aa3f4b3ee405eL,
      0x03277599aef7573L, 0x17d5e00efc75333L, 0x016a8ac2d7fba2aL,
      0x06086e33f6041ecL, 0x18121e7a91efc07L, 0x1333560e669e723L,
      0x190630d85049d0eL, 0x070220eeaec8fc5L, 0x02bf141823edf1bL },
    { 0x060b698fbcdf666L, 0x0354cc5f5d8e937L, 0x16ea012610daf74L,
      0x1ca457911a80895L, 0x08423b20d76bf75L, 0x1cc53932ae25cd9L,
      0x1d8059703d2494cL, 0x0b4eda9e56e1946L, 0x1469899252030faL,
      0x159bf43db02a382L, 0x1bdcc54f786cbe5L, 0x19195aa9de0bdf2L,
      0x0aa93617b05ecbbL, 0x1e5d10bef5944e8L, 0x1528b5ceb03ef55L,
      0x0c0c7a1a796ac33L, 0x1a6e8bee9d4c91dL, 0x02789701bb4b7feL },
    { 0x0cfa42215f1a610L, 0x12e2a9bc328cd26L, 0x1151ce0e04d2012L,
      0x0896509c54248d4L, 0x146d1320fa15b48L, 0x14507d1b2326328L,
      0x0013bedaea231c2L, 0x0d4e9cf9dcf2789L, 0x18c34d22cb95ae1L,
      0x0cf6c4ffce0ea6eL, 0x0219b4c8094dc67L, 0x056537ac8894c34L,
      0x0cf277bab145b23L, 0x14a245817c44749L, 0x1487b2dcf9a71baL,
      0x15f643492dd52b6L, 0x191a8f78ea75858L, 0x041e9199f589337L },
    { 0x063328867b478d7L, 0x10d70a8517e4e0eL, 0x0cc06348906e87bL,
      0x111279ad2c0b6d5L, 0x08117a8769f1f28L, 0x139ebb8aceb3305L,
      0x17c2ba0480465c3L, 0x164a51fde0127eaL, 0x1b3978db8d854dfL,
      0x15a1f7b7a2ecfddL, 0x192ffb56fb8e5f5L, 0x1eb2d7eedb5a2fbL,
      0x0e3d40754ca01e0L, 0x1c7437799459140L, 0x147961a3b6d848bL,
      0x14ab7044d6d5f6fL, 0x021463532152f40L, 0x039b1789f62d18bL },
    { 0x12eb27c73c0c430L, 0x0532fd28e1b2bbcL, 0x1b3b48653c6e330L,
      0x110296928ea14b9L, 0x0b6fbbf41894568L, 0x1543045df8540d2L,
      0x1e578ddbd3d63c2L, 0x1abb26c3ad0730eL, 0x1b6510cd8e3a8d0L,
      0x1f17edfdb60d22aL, 0x04553abb2247e58L, 0x0e2bfead1ec8592L,
      0x172f2b399e0eb1eL, 0x04f85f85f3d7ce6L, 0x060da547f0e6eb2L,
      0x04151e10c3b2521L, 0x0add9b16f02da0aL, 0x01788349fd1c607L },
    { 0x1a6ce910c06ded2L, 0x0421797ec843d83L, 0x1f5aa7d8d69be5dL,
      0x023dac0c4dc8d17L, 0x169ee54804b6189L, 0x0b51008fd97c4f9L,
      0x0ceb272f4444f72L, 0x13cceb359fc21acL, 0x164ba66fc8faa62L,
      0x1435724a3f9c141L, 0x10e81756736a669L, 0x162811d45edd051L,
      0x04af3953c87c7afL, 0x0ed54f2792a8e47L, 0x1bc65016d4f49e6L,
      0x0f9b63dfed1a95aL, 0x0432775dbdd9643L, 0x04c2fc1f227f3d0L },
    { 0x1603c16eaf45294L, 0x188b06125aba8c4L, 0x0060e75ad4b5c04L,
      0x05db28668098224L, 0x14f41b687079cf0L, 0x0560f0862d8145bL,
      0x13c38f70fc1da72L, 0x044b58bdd47f164L, 0x0ee6684bae34c5cL,
      0x092cf31cd5e2295L, 0x14b347a77d17329L, 0x1926348879f560fL,
      0x0992c003b307019L, 0x06c65e17347eed5L, 0x1e0729cb67c5e70L,
      0x18f3377e2b4de3cL, 0x0f154d779d550dcL, 0x0064472a007f4b1L },
    { 0x0f71a6ae8f44357L, 0x1a5fb1d1e55b542L, 0x16796baf1a03dd6L,
      0x0914ea7de466993L, 0x075e3c8ececaf08L, 0x07c69d71400a608L,
      0x0cabaee7568e3ddL, 0x124eb3108c9701cL, 0x17b328e6ff2bc37L,
      0x1dd8fd7f76870cbL, 0x1ab25568cc196baL, 0x1b1f245b79d0ce9L,
      0x05987b907a8c19fL, 0x1d9d166bc60bd74L, 0x01ddcbe27ccd89cL,
      0x19dadd75d4033f5L, 0x1154e5de4993a25L, 0x04712b05c578883L },
    { 0x0d3746c3141aba6L, 0x083cfdd5967cf2bL, 0x00c673749f1d168L,
      0x053bfb2a1d6c705L, 0x1a9408ff2223763L, 0x0b008c0f058ae69L,
      0x0ee9d26a00802c4L, 0x1aa4e33b6bb4707L, 0x16078340a651046L,
      0x094ea6f4ba91d8fL, 0x00d1723828a2ae2L, 0x158415be138e808L,
      0x052331d61161275L, 0x09c8e5285a0d593L, 0x0488c548c331df1L,
      0x13453117c19251fL, 0x0e5fef3d92b92fdL, 0x02c802f91419279L },
    { 0x1b1750c3c4c1c74L, 0x1d56074b37dbcb5L, 0x16499b165cfef9cL,
      0x04750cad6d0b4ebL, 0x10446cde8c97f93L, 0x19c4bf95b821d8aL,
      0x1cac952245bdcffL, 0x1cd227ba0396316L, 0x0d0a751f1488c0dL,
      0x08bab8a42ac652cL, 0x050c0512998f686L, 0x015961c10c312eeL,
      0x0cf39ead9c2df19L, 0x0b9c16d080407e0L, 0x18a8ce00216b1b8L,
      0x15d1bd2f230a264L, 0x16ee4495936b43bL, 0x02bd3c7136bc1efL },
    { 0x01b346f40dbddd8L, 0x0d493ca0861d60bL, 0x1e0c621b3cecad2L,
      0x0467727bd718a84L, 0x00df579d72df323L, 0x077a804e46acfaaL,
      0x0190f975e99f708L, 0x18788d67230cfe1L, 0x0ecfa2445ad96adL,
      0x0c7ac4d8622a268L, 0x124c0782105f5d9L, 0x1ed588a9c511cddL,
      0x0fac0f462d6ca5eL, 0x046c501b20c8824L, 0x14d6dfa14901f60L,
      0x1b50f698a674fedL, 0x0e83251e4128f6aL, 0x00e51b862c0e239L },
    { 0x0bd5171a801b68aL, 0x143ce7e8ccc59caL, 0x0afd0458c809cc4L,
      0x09eb603fb6920b5L, 0x1cda128bb5fe87fL, 0x1e98fbbc6f291d4L,
      0x130d42fc586871eL, 0x05b6bbd9fa04720L, 0x0224b2882e188f1L,
      0x0e9400efcced73aL, 0x119ed4233473483L, 0x187b810cfc7395aL,
      0x002b4250726c311L, 0x177ec801b8d08b9L, 0x0f4ec0e0efd1938L,
      0x0b754a7a089143bL, 0x07932db52f4e626L, 0x012c259a62619d6L },
    { 0x0b863892aeec688L, 0x1a05d22fdf2919eL, 0x07dff582d7e2979L,
      0x1890e9227a845ceL, 0x1a17d80d455d185L, 0x02a29202615d9b7L,
      0x0995cfc9c6152b0L, 0x190edba608b5173L, 0x02e42c3e162ee7cL,
      0x013338326fb63e8L, 0x1f754771f2d2200L, 0x157c30f12fc0b24L,
      0x0ef2d5737c6b3faL, 0x1fa8d4ffff35691L, 0x001eeaabed809a7L,
      0x14935c3906a8ad3L, 0x085acddb6ff951cL, 0x03f4089ba1fcd58L },
    { 0x1722a8b830a88b1L, 0x0c75467088bf0d6L, 0x02e01026d1f6464L,
      0x06d88da3a67c05aL, 0x0589669cb53812dL, 0x1866af17e84ed87L,
      0x1114e6117341856L, 0x19618382ab4470dL, 0x1da774de5f5ff43L,
      0x183b5cc71c8e066L, 0x1c7bfd4013ca1aeL, 0x08d95dd817fd2faL,
      0x0732a1ad9423e0bL, 0x1cb6d2117229c33L, 0x16caffbf8327e04L,
      0x1f522c6ed8344c7L, 0x1a6001c7918ba56L, 0x021b5c6326fc242L },
    { 0x0117e9d8ab764bcL, 0x10f4a503befc244L, 0x174c3063baf77e9L,
      0x1ff928a3b8b4eecL, 0x071a347a548916aL, 0x1da0ef80d297198L,
      0x10a198cee577ac8L, 0x0d1bafad1928791L, 0x1e4f9d41e18d970L,
      0x0c845c846493cceL, 0x10523b51ce528deL, 0x0a2f9aa3ca7fcc2L,
      0x1e0243dcb6e5018L, 0x0bcaa202a83003aL, 0x1f697ff97737988L,
      0x196ccdef921c2a6L, 0x1e11df7aae40768L, 0x02933654f36df4aL },
    { 0x0ddee6d1386b3dbL, 0x057ad3e1c72a042L, 0x1103ac13d277e79L,
      0x11fbcb49fb66830L, 0x10257cfc2138a1eL, 0x1eb8609f3734921L,
      0x07fc0d4671b8c67L, 0x1d11e69c2e90d86L, 0x0f1e298fd940ce1L,
      0x1dc658e8a4b06beL, 0x104d1cacbceffdbL, 0x016828ddf1fe40fL,
      0x0b7bd3e220899a2L, 0x1135f513bef61b1L, 0x0d32d9ea5d41139L,
      0x0e0741e6568929fL, 0x02bc17a09201fc6L, 0x020f992dcce6c25L },
    { 0x12ed513ce2843a4L, 0x024c70039457e18L, 0x0089361933979d2L,
      0x094c40107751de5L, 0x0bed338d3406470L, 0x1f3d9c2c82f0ecaL,
      0x1eee4a95e32d418L, 0x083304edb2c513cL, 0x0dfe2dc47f17b73L,
      0x091a90f8ed644a2L, 0x1b4a348d002a9d6L, 0x00bd4ec374867b6L,
      0x0d9bfd07ddc6477L, 0x1216547ec4a3dd3L, 0x030d1a003cb8eb0L,
      0x031fa93de8ce1d7L, 0x09e7db3d37bd9aaL, 0x02b5987db72c675L },
    { 0x1ecdcaacd80a428L, 0x0916e4399644883L, 0x1e60eb69107debeL,
      0x092496011441b10L, 0x12e81c3a3bed9a4L, 0x1c03e99091a99e5L,
      0x0bb2f0d3901d597L, 0x11a17f5df4a3e5fL, 0x178b634a5ade8a8L,
      0x0705bfc4a1c9548L, 0x088dde42ec73631L, 0x09f5f0e4095c612L,
      0x1585d3cd83dea9bL, 0x03291d3c9f6fc0fL, 0x10365a563e23147L,
      0x0fe0fc8e5f7162fL, 0x146899081e5dccfL, 0x009a9e62bac5ee8L },
    { 0x0a5649739bf6e18L, 0x05ad1324dc4e394L, 0x128373a2e39d67aL,
      0x02408e08191b286L, 0x0a7b8e82d935bf5L, 0x1c094a1559d0b23L,
      0x1ca5fc560fb589fL, 0x057082d4fc0e5acL, 0x149685d86cd39e4L,
      0x13cbfe3cac6edd6L, 0x03e4a055739b7a2L, 0x0ae1f146c46b4abL,
      0x0052877ae575f4eL, 0x1358b75ede34e7eL, 0x07307c63d064ea6L,
      0x1cf131a3be87976L, 0x158723a830e5a21L, 0x01f610c2efa28efL },
    { 0x1d4c7d71f0bc2d7L, 0x163663728ea095cL, 0x164e827e03d9a60L,
      0x0a08f5c13925c05L, 0x17f351f9b7dd2d2L, 0x1c285f1a818a4f9L,
      0x14b21a75273871dL, 0x13ac048559625e1L, 0x0ba188c567bc28bL,
      0x1203090835e02a8L, 0x012c7e35f50ca63L, 0x15cfa712a3c161bL,
      0x1b8bc97607b4a67L, 0x0a4bd5395a93e2bL, 0x0f7599af24f17cdL,
      0x08f46be3bd19873L, 0x1e53087dc5ce9d4L, 0x044d9ab5b5108d5L },
    { 0x16db0afdfdcc837L, 0x005d55438dbd4f6L, 0x1f2470752dc83eeL,
      0x0f5b593cb882757L, 0x0b8657a3f5b56bfL, 0x00eca72b32516d4L,
      0x0d96046c13dc839L, 0x1d4c7c23a4c6e86L, 0x0ee628ecef426daL,
      0x08b0ce4e58b16e1L, 0x1605fe1d92190c0L, 0x0e04ab09790d39eL,
      0x0f00bf7928e1bb9L, 0x0e30777296613e7L, 0x0b70be53bcea03bL,
      0x09ea4fc24057d0fL, 0x126656f18e08a0dL, 0x01ce27886abe2e8L },
    { 0x1a9b68ce88aecd3L, 0x1848c528c554ed9L, 0x16b52f53b951556L,
      0x0e040d1b09db839L, 0x011ac72d79b68b6L, 0x0d053c3ed640684L,
      0x18a0db479b4d6a0L, 0x0899083d3d477a2L, 0x0a7bc1775894c44L,
      0x15b1b92f8d50901L, 0x1dd9fb1f53155bcL, 0x1767a8dfea377d8L,
      0x0d73f7e3392817eL, 0x0d7692627ef2df4L, 0x195e73d131b25ddL,
      0x1f79817342e0f6dL, 0x100cff164789069L, 0x020a5aa16a48a95L },
    { 0x1c31e58606e173bL, 0x1a70dc873389d19L, 0x144b7aec82bd6dfL,
      0x0e0a241ce084bf6L, 0x1013e4ecc788c61L, 0x03736b9f782b014L,
      0x1a42a7e74d6b207L, 0x05dc263d11f28a0L, 0x1708f9b3244af08L,
      0x1726b360dd15754L, 0x1d29b9d036ca72cL, 0x0491a308600f5e3L,
      0x18ed556a6c74ab9L, 0x13868bd30999c77L, 0x023d6ffd23988f8L,
      0x10a2a78e6c5f52cL, 0x12a43977874444eL, 0x02933c6b57005c5L },
    { 0x1ff1c59df36aeb4L, 0x1329e5495e055aeL, 0x125a49e97e054b5L,
      0x085bfa923e1c07eL, 0x0571f89b8509d41L, 0x19a24292c616295L,
      0x07824af5860124cL, 0x00c3467d29e7efbL, 0x0fab418d32c1bf9L,
      0x1ce24872d52b4aeL, 0x0465bbdb4b5fffcL, 0x00ea1ef291521c8L,
      0x12d3053b4f3ecd4L, 0x0eccba64a5ac7cdL, 0x08bda0ae3ba10a9L,
      0x19d4c474b383b7eL, 0x0dd045ac614c8efL, 0x038205d2de08677L },
    { 0x0364f81515a1a96L, 0x11a818c2193f016L, 0x19406b64f53cc69L,
      0x024e76c2e61412cL, 0x12cda9d29d7694fL, 0x0a60bbc4436c3b6L,
      0x1a5ac78069d08a0L, 0x00c69244ed70cceL, 0x02fd4f0c65b25f0L,
      0x0939a4ffd94a625L, 0x18362b7874cdbd9L, 0x07d1cfc70c1d83fL,
      0x01b774c31eaf9a2L, 0x01b2bc254be95b9L, 0x1d3aa8feb0f9609L,
      0x06491fe5bfe9ce1L, 0x1c13d281e1afe87L, 0x04821d36b05e8e4L },
    { 0x111a0fe766c7937L, 0x0f6ae55de1df18aL, 0x0333802222b06cbL,
      0x1ac2c401e65582cL, 0x14a2ea06928754bL, 0x1f0837dc00e41e9L,
      0x136522b5e80ea72L, 0x10132d610459dbfL, 0x1c3c3463ae40698L,
      0x1897526facbfb31L, 0x14e0d10324abe7eL, 0x0b8c9d1b42a8591L,
      0x02db4e801a79bc8L, 0x0f1abcd94abb8fdL, 0x0ab41e1ef4b04e0L,
      0x1588dc8b8ebbfffL, 0x135b0760a3cb73eL, 0x0131b15a41d092fL },
    { 0x1c68d28eefc3e89L, 0x1743bb4f4f73892L, 0x0e1abd792dd4b43L,
      0x05970d6667160f7L, 0x1f552bacdb70907L, 0x06d0f4fe9e90757L,
      0x1c51697bacac530L, 0x10a723ed11489f2L, 0x121fbd3101e06d4L,
      0x0f27952df54e6a4L, 0x0351929efc87691L, 0x11900a9aa8e2f6cL,
      0x11bee0f2e9193f8L, 0x00a1c939ad6729eL, 0x11ad7ba4b09958fL,
      0x0b375390dc1652dL, 0x15e452fe23109ffL, 0x0174a95902aae49L },
    { 0x0846bcad75f886eL, 0x12edf6a1efe2c15L, 0x16d801ec6e1b9a2L,
      0x126abfe56a207c8L, 0x0263ecc9580e2ecL, 0x0f2f19de3817935L,
      0x081d8a0d6ce1860L, 0x0da04a227d8d824L, 0x1a5c26e3a7fbd85L,
      0x17c1fd9ceb75e58L, 0x094fca9134bea23L, 0x1e66a763f52ef55L,
      0x1117559a307c14eL, 0x1849bbf07fb0250L, 0x0bc09ccaf365ac2L,
      0x1de0d4b82912db6L, 0x04b1c0a84c9eb53L, 0x0091b680b981bc7L },
    { 0x1481c8fc084373bL, 0x123b432304bd76bL, 0x1e8184ef0d2ca6bL,
      0x19269785602601bL, 0x0e2be7e23712714L, 0x008400432923148L,
      0x115d9553eee7fb4L, 0x105e1d816708462L, 0x165baf594330a32L,
      0x1eef0d438377c0bL, 0x11c9f6e9d4c3a4eL, 0x1acce9992b96fa5L,
      0x052438906dbb0c5L, 0x08a32c79d9fe69bL, 0x05fc3a466206507L,
      0x18fd5cc2deaaad9L, 0x16e353c2d854b9eL, 0x00152400a31065aL },
    { 0x1d6d23d506ccd38L, 0x10e2a482cdd5308L, 0x109da74047148a6L,
      0x0db05126fae2f93L, 0x03835083e87e1b4L, 0x0d612c7aeb1dddcL,
      0x1347fc29ed09eabL, 0x1fb33564d7b3e2aL, 0x0dec0ffbf8ec955L,
      0x14abe33a4fe5c40L, 0x0577b87804537bbL, 0x096e6d3e8d8e647L,
      0x0091eb2599192a6L, 0x117461ed2182233L, 0x155b462f8b6a21eL,
      0x0ebe7489c584b86L, 0x1e031390414b55fL, 0x00ec5ef37c790bfL },
    { 0x1cd39f8a2028924L, 0x078ce583765cf81L, 0x12df5bc16119b95L,
      0x0cb40c0eed0c577L, 0x110fec10dbe0671L, 0x0ddb2e49cbe4bd5L,
      0x0e8e3d084e099bcL, 0x1cc829bd9974ce5L, 0x1594d4d43f88b05L,
      0x0c9fabd564a6a68L, 0x10a9aafec5d8e1eL, 0x16b76df8cab4e9fL,
      0x04ee8d2139d8196L, 0x1b069d136e1bae4L, 0x0e4ee1ee6c02808L,
      0x0413d66dda6b9bdL, 0x1c1f565b28bcc83L, 0x01a4e34a1e30809L },
    { 0x1b394444de6c88aL, 0x16238a380103f68L, 0x0288870ade03570L,
      0x0810a1327d6de8bL, 0x1aef0c18749f756L, 0x1e38782005d2bcdL,
      0x1fafcb5d0a4e1cdL, 0x0a78b51c5d8428cL, 0x0243a666e5337f4L,
      0x0c8f8e3f685ea85L, 0x1cfa43d2f47e472L, 0x1d14be1c253674fL,
      0x170738963596089L, 0x138c1564e869d0bL, 0x05f170a73e10b54L,
      0x0aed24232a53210L, 0x0faa32f327e8725L, 0x002b2c3d5c4e16cL },
    { 0x08562ed1ce4733dL, 0x1fbe5cc728a2200L, 0x087ea6ad1ae57ebL,
      0x1d6c351826be060L, 0x16b3597689494c5L, 0x01697b2be4a81b1L,
      0x1c0f9afa1323cabL, 0x1761cb669b137a4L, 0x1c4ad918f7e872aL,
      0x1544f4fe2029770L, 0x0bb8fcc642d47b0L, 0x086edffe4a9f859L,
      0x08883e097258fd1L, 0x07d8aa1c379e06bL, 0x12ab8018f4283a4L,
      0x01ed98870ec97edL, 0x1de815f15653f1dL, 0x00dc3f976dc366dL },
    { 0x1792bbb2b0b15b1L, 0x05ad3e735d3bc9aL, 0x1f67763cdde68f9L,
      0x1b8531a3dff759fL, 0x047031c6005450bL, 0x0b4033071faaab6L,
      0x14b081dc3c1ea57L, 0x0a99c7d09c05a20L, 0x1b050791e7aa8ccL,
      0x0b10f39dd1911d1L, 0x06e534e58ca6413L, 0x168efd700adb0f7L,
      0x08edfca0cc8df9cL, 0x0b895065712186fL, 0x0122a64dd2fd05aL,
      0x1cb3d7c7e78ef11L, 0x023b22b87b1c4a3L, 0x0470113e21f4adeL },
    { 0x00e22a83210964dL, 0x0aefaff82b77580L, 0x087f6bc7ab5f733L,
      0x00cf9b95c6042e7L, 0x0bdcc90cd02833eL, 0x125a7a8e62ba65cL,
      0x00a621bb29c50c8L, 0x1d7a01cc075767fL, 0x1b98ece1b0c1a8dL,
      0x14523721bc6130eL, 0x077436985979748L, 0x113296fde1c58dfL,
      0x13bda9f306b3ae3L, 0x1c50426d9d1e0b5L, 0x053a5417a689b4cL,
      0x00d78a51cb326a7L, 0x16e848ecb114ea2L, 0x00a58ad5aa02a2eL },
    { 0x16d86c9664c59a2L, 0x115f0b07ebd5287L, 0x15a641cb2e38f7fL,
      0x1302ed4fc067f36L, 0x0587080b5f2325dL, 0x0ea702bcd06a73aL,
      0x0a38693b837bc35L, 0x1dd815b3ff590f6L, 0x1d6f18d2f3f09b4L,
      0x044b57394974ec3L, 0x0254f58251d8f33L, 0x0f5031f7f3f5951L,
      0x094b63d701dbee9L, 0x03f53917ef90707L, 0x0ad5c7f2ee9b8c1L,
      0x0abeb9cafc394c2L, 0x02e1e16ac76009aL, 0x03a15df6c621c4fL },
    { 0x1ea86dcc1dc2c73L, 0x1feade0b21d5f91L, 0x087c9363287d2eeL,
      0x01196b958e0ff1fL, 0x14e66a7dde68a6eL, 0x1bd6bc3eaa6325aL,
      0x0ae51e276e88aa6L, 0x0229b11aa81c6c9L, 0x0c8c2e02d1f72e0L,
      0x041302ba371513cL, 0x0d6ecd2c61f1f53L, 0x1bfdd71fc193cd8L,
      0x087d11e415ed8b3L, 0x1c32e3fcdb5e1a7L, 0x1b305f2ce422efeL,
      0x1ad36e2fa39cdc3L, 0x124151e3308f7cdL, 0x04bdead0a5ae4a0L },
    { 0x01c62fe81e82861L, 0x0a5b6eea1620770L, 0x156f997a4795c0fL,
      0x08b5777fbafca5cL, 0x072a45f4b8b4937L, 0x0794ec5a78afa96L,
      0x19d7f3a10d6a154L, 0x12d3beed736b05bL, 0x052e84c5fa20c8bL,
      0x1bbe9688545057aL, 0x06ef6329804f0ebL, 0x13744df060be071L,
      0x080cec8b9ab0d9bL, 0x1fd5ed0c7829f42L, 0x10930a9358cd9ebL,
      0x1745ca1ea77c94cL, 0x069f892c58c864fL, 0x018be3698a4662aL },
    { 0x03525b02cb7d42bL, 0x005e49887d65706L, 0x008bfc81023d549L,
      0x1fc1821d411aba4L, 0x118eb23d6b01402L, 0x12950cbfdf7b453L,
      0x035ba8051ad6904L, 0x102b35f9c90221cL, 0x0e9a1d27f022de1L,
      0x0dcb68b6e1fa4edL, 0x0b8fd7bef90021bL, 0x0c83d9978239f83L,
      0x19525f8636f9d70L, 0x013b1e182481113L, 0x0418c2cdda5e5abL,
      0x07e2f398690783bL, 0x0fd451651f0ee3dL, 0x03572cb9cced05cL },
    { 0x1b13bc7bff4d2eeL, 0x0a1149858b9ec2bL, 0x0f541e524db081dL,
      0x14bdfaab7d6c4a9L, 0x0e0c33891d5f232L, 0x10fca26037a542aL,
      0x01edf3cb16d6639L, 0x0998ac90c3ffabfL, 0x0ee261fb15a2afaL,
      0x07fb91316cbd3baL, 0x06b88b5b3c01eacL, 0x0a69a68de428351L,
      0x1f97b6497e28880L, 0x1d157ffe47f39dfL, 0x1469c9a2a1656cbL,
      0x170573df39e7de2L, 0x072a84ee5f1e744L, 0x033248246de31ffL },
    { 0x1b7bb781e8b760dL, 0x185ec12d56d5048L, 0x167fead489bf51eL,
      0x0d7ff8291d02927L, 0x029be3db4a6dd22L, 0x185585ad0197c55L,
      0x121a0c636f1c0d2L, 0x08db9997f6afacaL, 0x08506ab379c581eL,
      0x089b53714187671L, 0x1e4d5b3db2031c2L, 0x06efded63d0c916L,
      0x0183f0f1c9fa176L, 0x0b55f6ee964e0e6L, 0x0ec37925bc149b4L,
      0x10e747c1d31c552L, 0x1ec6f2d7ada0f13L, 0x0275c9dae79fd24L },
    { 0x189f7e5e11fae32L, 0x0ba7ae2011fa8deL, 0x137d2470fdbf44fL,
      0x0eaaa4f36e36002L, 0x05ba00681d849a5L, 0x1e51655dcf444b8L,
      0x19dbe0888906704L, 0x0555f776d0bfa66L, 0x1931c3f5275878aL,
      0x15777f7f79ea8b9L, 0x097322f629a1e04L, 0x1b67b33e182c313L,
      0x06a19d48b682cffL, 0x14e362705fab2a0L, 0x00105c95817888fL,
      0x03990a7cf03bd0dL, 0x168cdf5c90bc700L, 0x015ac16c9be021fL },
    { 0x1165c8281abc2aeL, 0x1c07af15b4f6550L, 0x0f481fffd9be9ccL,
      0x0ca8eeca0d812f6L, 0x157fa21c5d60382L, 0x06deeaee5d64f9dL,
      0x1cca9e1d436d326L, 0x0390bc42207b3dfL, 0x1ceed172c2f11c4L,
      0x071c9324f1a4604L, 0x0e4dae0c7b77eeaL, 0x1a0dea10c946e39L,
      0x0de93acfcd915c3L, 0x19f97bd57f4719eL, 0x1f3ba692fb8435eL,
      0x095fb83b1d691d6L, 0x0c04fa49ce3fa57L, 0x03c30a884c316daL },
    { 0x1e3f4807ae72c21L, 0x150a27e8786d29fL, 0x07a3e30e91518c6L,
      0x08a369e3578eddcL, 0x17cdbb24379ae09L, 0x1eafe6951d21cbeL,
      0x1bd69e8533ffa0aL, 0x19f77c9da25e84fL, 0x09b0a43ee284d3cL,
      0x1dbc5c9c776370fL, 0x1013919ee3a1ed5L, 0x180a686e984031aL,
      0x055428deb50c8adL, 0x01d7d167b21b9b0L, 0x0a55be6d3603b03L,
      0x038d0daa3f27875L, 0x0259f9a28ab8416L, 0x02a05b5dbb5e4e0L },
    { 0x0e1734c321d315dL, 0x0b3096c3702e802L, 0x0516eea336053bdL,
      0x1359b8f135d5f5cL, 0x1877570f1fb07a4L, 0x1e29ef3510f4d6aL,
      0x063acb92a0dfae6L, 0x08a86db65263ac5L, 0x143afbc78ea362fL,
      0x14b9ecbd55fb2c2L, 0x1f6af832493580aL, 0x11e0f95be1d3b9cL,
      0x0175020538f69d9L, 0x0230e694f05a82dL, 0x083a060f6df468dL,
      0x0a1edc3850eecbcL, 0x08c2ca2586752ddL, 0x044be558a49701cL },
    { 0x1ed38130d8bab8aL, 0x09b26521c10052cL, 0x1cb101605057047L,
      0x14f5912ce80d0f7L, 0x197411a086ad0d3L, 0x019b8e22494082dL,
      0x00c79d2612c47ceL, 0x1c0e1a5db081a35L, 0x0d883628b6c912fL,
      0x07c7bfd8a7d4469L, 0x1ca9373c2b24f91L, 0x13554d849f4cac9L,
      0x03bf6cd94982f62L, 0x10528c16d5c835dL, 0x1ae4e94b208b99cL,
      0x0e7545fe8fb5861L, 0x0c5dc62c4a4fff6L, 0x0325803b1a3b587L },
    { 0x03f533eb3c9a404L, 0x1bfb9dbf7cca90fL, 0x18a5b094da4ec76L,
      0x080e71dda98fe27L, 0x0e26cad07ce7f4cL, 0x162e78e67e9d99eL,
      0x1380761e124d407L, 0x19e7f1f813bb810L, 0x0217cab32c39b5aL,
      0x16d785dcf7aaa8eL, 0x1dbd5b8485ea550L, 0x1625846e0055f78L,
      0x1fb070a29380178L, 0x0bb654b205a961cL, 0x15a38db8e49454dL,
      0x01d084aab284833L, 0x18c291fb82c09e5L, 0x03ee91753330c76L },
    { 0x1fe844b49cbb3bfL, 0x063822ab17d92bfL, 0x14de7d6a116b783L,
      0x0dca24eff83cddcL, 0x10635718956d7f2L, 0x0abf9a163aea5c9L,
      0x1d0ace685224a5aL, 0x0e519e9d66505caL, 0x16b0d3ddd83247bL,
      0x1d4fb19900d211bL, 0x100f04505292159L, 0x088f6ded522c82cL,
      0x10dac6f79060afdL, 0x1e9dcec14afca49L, 0x12b7c3da17fe52eL,
      0x0e912b91f31f8a3L, 0x0c89559c88ab13bL, 0x0189bbe332f8c7eL },
    { 0x1c5de097dcfb35fL, 0x0654f80e61b7c1aL, 0x0175d5db2d8cb73L,
      0x15ef6966eafd27dL, 0x109a19b50c2dd48L, 0x1ff303cecae6a7dL,
      0x16b49d4bb4565c6L, 0x0de8731019e4b2dL, 0x0e52efb5369e90aL,
      0x004bb3181e9f305L, 0x0d93eaa541c3811L, 0x076c0ac49ba5f9eL,
      0x0400d5e467d8f99L, 0x0647a29259ad4c1L, 0x02805e78a274090L,
      0x1b57bde8a8478c9L, 0x0713a5fd695587eL, 0x01ed66286508f29L },
    { 0x13e4f946499ae4cL, 0x0e5f0b829e293e5L, 0x13a6f9e0ba2a91bL,
      0x11b0903c8b00febL, 0x0a286fd0b6c64d2L, 0x0e6da4f9af228c5L,
      0x0fabfdedee6eb7cL, 0x1f7e7f6c4215d84L, 0x00a9ba385b9bfd2L,
      0x08d06a9c403f9d0L, 0x091012c5eca10b9L, 0x0d0ff3bb3e14f56L,
      0x14f3e9df646fd57L, 0x106f8ca6e68f7edL, 0x1a77c15774b7de9L,
      0x114637da7e587c0L, 0x0f7469b75612324L, 0x04334a4f0b4a3a2L },
    { 0x09a0da53f4ab07aL, 0x17999faa537df9dL, 0x0486c8f3ca40b35L,
      0x1d091c7ab01925dL, 0x13b218abc9581c3L, 0x165a6bc9d78fdeeL,
      0x00e80e1663a8419L, 0x16aa002729d3218L, 0x13b664b1e7d0877L,
      0x1ced8ddeba63848L, 0x1510d538b577435L, 0x08366653b7050a5L,
      0x107b96d4800d2b8L, 0x014aee237d42275L, 0x1dfb138de9415a7L,
      0x062ef85a706e729L, 0x198dc3884ff5b08L, 0x02ba1a95c458fd2L },
    { 0x12193f70d5d7ce9L, 0x0fe9305a43f57f6L, 0x0d65ef997f40f06L,
      0x00f04e1aacf8895L, 0x1aa70198dd9da86L, 0x0cc2efc54276005L,
      0x0a360bb09f924a1L, 0x03b32d995e1bc40L, 0x14e7648c761c220L,
      0x0b19ade048e0cf5L, 0x08e9a7c359e0aeaL, 0x0681a528c9264a7L,
      0x01099f68733f204L, 0x14cb008d222290dL, 0x14ea5397f2f3025L,
      0x147427109abb1f0L, 0x04f2418c624d3b6L, 0x01f218d7903571eL },
    { 0x167d93983d381f1L, 0x00d57686019e1fcL, 0x134151041da0d94L,
      0x10a1274da77e75eL, 0x192f2900a86d159L, 0x185baaa1d703a0eL,
      0x1b5bffacabe98dbL, 0x08da1214d47548aL, 0x1336a4fdaaefdb6L,
      0x08dff220d4a17beL, 0x0a8fb6147b907bfL, 0x0d0c23d26b8aff8L,
      0x0653bbb3434f1c9L, 0x16c4b61566abbb3L, 0x0efe907c9a4c6eaL,
      0x19de3141f77a30dL, 0x1351c3d7d82a203L, 0x036d69f8af13326L },
    { 0x1940b7d12ec35a1L, 0x0e2db73efd89468L, 0x031bc4cc8755886L,
      0x14678b1d6c5984fL, 0x19903c435e76904L, 0x0cb50c8a8487aaeL,
      0x12e9c186f249b0fL, 0x0372e953e071815L, 0x17a4140217198b2L,
      0x034accefc4ac637L, 0x1cbc76faf404a6cL, 0x0c27be751b86a2fL,
      0x08672375c51109aL, 0x09c1e9698472c22L, 0x1fe0df159642e92L,
      0x1aabff87dcf8c17L, 0x03fc87a539027d2L, 0x0121c74ea2fa8bdL },
    { 0x0a453088815af3cL, 0x18d1979e4df6ae2L, 0x17265ed9777f957L,
      0x0825ca3d6b5de39L, 0x063f249061c61d9L, 0x19f118de86d62a7L,
      0x18041bc510a7342L, 0x163ee6f8785e3b4L, 0x17150e04b6bbc4fL,
      0x02da6448df140e5L, 0x118cf35dc07d6c8L, 0x1e8c54a26921e36L,
      0x1368f1f7f28b33eL, 0x1ea0b5b3eeda3e3L, 0x1e56ecfd2b69446L,
      0x01ccf3a552f9bfeL, 0x00100a8b7b29620L, 0x009f9c808d7f187L },
    { 0x1d296ef7bd0c827L, 0x08879a514ffa31eL, 0x01a072694569418L,
      0x0a4d1794eff0f26L, 0x198045dfde8d804L, 0x0072c265dc18124L,
      0x18188fe435c41a3L, 0x016550719504c76L, 0x0293bb5e7535c5dL,
      0x1754ceaab20a888L, 0x046b406ef680173L, 0x017f49b1a031fc6L,
      0x001cf2b8662497eL, 0x0c625d4599eebbdL, 0x0adef26f01d6dcfL,
      0x036165308cda8e4L, 0x1b617a7ce24cbdaL, 0x022c6a5b5b40381L },
    { 0x026a20e4d54d8b2L, 0x0b4b726990506c5L, 0x0163e653dc00169L,
      0x185eca9350d316bL, 0x1694d00d7a4adc3L, 0x02015e8c09740c9L,
      0x190411ae6c001ccL, 0x041c21428934366L, 0x1eae95ea5992302L,
      0x17e174d8da41061L, 0x0d72d61727ae28fL, 0x06332f08e0c9fcbL,
      0x108f27d49f21ae0L, 0x17b92ab5b47785bL, 0x136c068c967bc60L,
      0x1f2b8015c08aec4L, 0x191628e3b065668L, 0x02f89fafd5b7ddfL },
    { 0x06ed9ae3a9b0dc6L, 0x0def4b7c41f643eL, 0x1e23aa2cd9deba8L,
      0x1934cdc757d4cd7L, 0x08217ffddefa6abL, 0x06f82e626998bdbL,
      0x19d3bdd0723c8a4L, 0x1943e1fbe2efa22L, 0x1fdf0ece7c35989L,
      0x176c96fb5ce2416L, 0x04f99956fc729c3L, 0x05204b9d9338e6eL,
      0x02e803e69c90acbL, 0x0bb89d0d1be4f1dL, 0x1685d35f028f14cL,
      0x005ec6a1b8acadeL, 0x0a211625a4405f8L, 0x010cb24aed1bdd2L },
    { 0x0cb2fd313142680L, 0x148ebb2e8a67a00L, 0x1aaf7f899a7aae7L,
      0x1015c4578b8d419L, 0x0b6ec250beefce5L, 0x1c78ff9e15bcc36L,
      0x123b212b6c68b5cL, 0x16b2e137850a2ddL, 0x1f36931298e8f7dL,
      0x0477e35cad8cbfcL, 0x04254a6aaa90131L, 0x197a2882a9613feL,
      0x03427f34352c3c8L, 0x090c4be099f7bdeL, 0x19522801285e503L,
      0x1f4c4b54188fad9L, 0x1082971cea73d56L, 0x049d687580223afL },
    { 0x00b6967988a9963L, 0x03bfbb28af46ebdL, 0x0e18edad43c9879L,
      0x0ba67245bcc4e9cL, 0x087a5b3d63a9b8dL, 0x0171919e1c69fdbL,
      0x1333c63dbc2704cL, 0x1ee4a980b87c05fL, 0x1c04ed0b726e662L,
      0x0ab235c0a1ff03cL, 0x0a51232405b2307L, 0x1897f047af2fdf1L,
      0x0fbccde451e5674L, 0x020bf56f02c37b9L, 0x1b9623717f22355L,
      0x1a3f2572a4412aeL, 0x0344408dd425844L, 0x039fc61f87520e0L },
    { 0x1534fc85df763ddL, 0x013f99d638c1b44L, 0x185dba3c5680ec5L,
      0x099641111c1b6b7L, 0x057caea61d39094L, 0x0fbdf9bc0264d6cL,
      0x0a33ea96110a146L, 0x02ac4ddd9e25275L, 0x1749e0d98ea36a0L,
      0x1ffb6d71990f6e6L, 0x17ba98a2de4733bL, 0x0aa45a2dc6c32c7L,
      0x1cb15ae206a14e0L, 0x1e5192f251702c7L, 0x0d06a283c9a1d17L,
      0x0a370f9f3a80e42L, 0x175dfed25d97caaL, 0x00084571cd6df6eL },
    { 0x0d178f3a9e88f63L, 0x0d88f55863992aaL, 0x0f9b8987629aa81L,
      0x1d1a172390ee74aL, 0x09bb004d24db7daL, 0x118485ef085839fL,
      0x07227f22fbf9d53L, 0x0342d5e0b32198dL, 0x0ddc838039d5951L,
      0x1fb2dcca362ed7eL, 0x192fa07b8296670L, 0x1c6df675362ff77L,
      0x15445dad0088891L, 0x0a84bf0f864d56bL, 0x01693877ff11aafL,
      0x0a4671090113759L, 0x1df348bb42fa0c4L, 0x0403e036c7589e0L },
    { 0x0a969ec98ee0ef6L, 0x0aa41c5dbdbd780L, 0x124a80be3f6eea7L,
      0x1516e0aaf848909L, 0x00ad1af27bdb201L, 0x064afdf2c9a1f23L,
      0x074ed4ea6a50a66L, 0x01d2e9b67bdb50cL, 0x1ce1525c9ed399cL,
      0x0dab440fb9084deL, 0x1df456660846922L, 0x1675de1e4eb411fL,
      0x17fa2f358b5df76L, 0x01cd831a49f8c07L, 0x160ed4eab13ff3fL,
      0x133f84d258c4c2eL, 0x061b2fdfa36b553L, 0x00b2126364cb03dL },
    { 0x1d65c55dd2744a9L, 0x060e17f1d7a0c2eL, 0x1a67bfa2c224951L,
      0x0b53bed23465905L, 0x1be9967430b7ab2L, 0x1968914c1c22a84L,
      0x1c9caf3b349632bL, 0x019115c8131798eL, 0x0d43961414b8efaL,
      0x07fb3dcf6b26896L, 0x195790b9fcd0111L, 0x188a8b61d3d753cL,
      0x14f03ded283d16fL, 0x16665c2e23a51f0L, 0x14e946e8f26b7feL,
      0x063627bfcd782e4L, 0x18adddaf4b9fb58L, 0x02aa27301527a23L },
    { 0x17c5313baa80b4fL, 0x138b7b1dee477c4L, 0x0b6ded0b16a0048L,
      0x12110661195c4e8L, 0x0d341ab1e9d9e1eL, 0x0a2c381a96461f9L,
      0x1676058f41403b6L, 0x0530693bae78521L, 0x02053c5e01f6c7dL,
      0x1883a2365a1019eL, 0x022f4827426bc60L, 0x1cdd64f28d02ed9L,
      0x1e19b1b540d0f70L, 0x114ca5a1b905aceL, 0x1b14f3e02dfb370L,
      0x01e8583499b9c5bL, 0x061dd7d3edd1ed6L, 0x02b9accae7120e9L },
    { 0x04ba3fba0237056L, 0x160b219d599c46eL, 0x0ef49c7b1849a15L,
      0x07c60637d9803ddL, 0x0118a1f5abdeb03L, 0x100799a777220cbL,
      0x01dcfb125d0856dL, 0x1fa36e30b9e110dL, 0x17b0c46cd7c1b7dL,
      0x0a1d96d25262f44L, 0x096612ec7fe5374L, 0x09c9939e68cbb73L,
      0x00eace64c9ac390L, 0x1b456ccd7c394deL, 0x05503097308a085L,
      0x0d22f77a7610315L, 0x0f0e468ed5f049aL, 0x0442a436f9f622fL },
    { 0x0942c934bdff464L, 0x138cf92d3da28b5L, 0x1c2cc96f8c90f6cL,
      0x1633fc667399600L, 0x041ee8ff2055a31L, 0x17c6f7d6534d741L,
      0x1cf19d81f742157L, 0x0213c492c1e3436L, 0x1bcb0e8a271d368L,
      0x0f08d513442f35cL, 0x1742ac617ab864aL, 0x0dc81f03f239316L,
      0x0f994fc5031a0b9L, 0x188ceb70268745eL, 0x0933830cf605a5fL,
      0x1f3ae5210650f55L, 0x02dc5dd4d3ec91fL, 0x018e767f46a55cbL },
    { 0x17bfd9afc8b21e8L, 0x09959d8ca1b6fa1L, 0x0b524870da83977L,
      0x1b47a1f521fcb20L, 0x1bb523bd8e9de84L, 0x06b4bacb31f356aL,
      0x0d672600288febbL, 0x1e2201381b369f7L, 0x1839aa7bdc9d20fL,
      0x0817b36f66b7d1eL, 0x1b53ef1545b2a7dL, 0x0becd8e85588901L,
      0x05ff3252f865ffaL, 0x1aece59e95be3caL, 0x15bc749cbfbf015L,
      0x09d8623610c77adL, 0x1b35d8f3cf09a6aL, 0x034b0da356d12a3L },
    { 0x07b587ecb35e2acL, 0x0aa35abd78a6ce8L, 0x096f6ca281307b5L,
      0x08e13aa9e1d942fL, 0x1c6f400ea1f91d4L, 0x0670c853738cfecL,
      0x0ff49392e23b7eeL, 0x0bbf2f03dba48dcL, 0x1d67120e6b655afL,
      0x13c168ec9a09e53L, 0x18828a5c1fe8876L, 0x1e64a9d08246d2fL,
      0x1e36051f9f1eb51L, 0x19e72df49712a6cL, 0x0fde53f76bb10adL,
      0x155b31353465d9aL, 0x0121964e22f0781L, 0x03531d48629baa9L },
    { 0x0554e003d7acbbbL, 0x0b3455ba7b0843bL, 0x19c8e231466cb00L,
      0x087d729a9fc9452L, 0x0cd6d2f60166771L, 0x1b87bf84351e6f8L,
      0x0f9f3e1960085ecL, 0x142cb110182b49aL, 0x1d6ed58165ba3f4L,
      0x1e63c09ae5238eeL, 0x0fc1d3a11295daaL, 0x0366dd4a05d5013L,
      0x070e021ed3a53a8L, 0x030bf8b2e105c98L, 0x0d7342e309fe24aL,
      0x052c34a8ec88d04L, 0x10effc89ffd8255L, 0x028f6a51168a8ecL },
    { 0x1d6963a449701b4L, 0x0c8d1dd93e5791bL, 0x1856d5ca597faa3L,
      0x0bb6a17efa7df37L, 0x0e643b9b75a7a05L, 0x15aeaf7eb3a4076L,
      0x1225fca9834b5b3L, 0x0bed1f86418bdafL, 0x041c53cf628ce68L,
      0x114b88fb88330afL, 0x1c84e08d403b303L, 0x04c0d853fc90f50L,
      0x0ae1ef9712af0a9L, 0x0968b4dfc9ef9f9L, 0x0a5e4f0357dbec7L,
      0x124add6f5fc4ce9L, 0x0e54173d94ae9f4L, 0x016b4a8de15c5aeL },
    { 0x1007d9f904e222eL, 0x19247c37a7084eeL, 0x1a2e3d0a7bb8ccfL,
      0x0b9f8eea31a9329L, 0x0b0f42f12957341L, 0x1a1a8cb73ff51d0L,
      0x1c6831e572df709L, 0x0ab04151ecce23cL, 0x183d95d9c2b874fL,
      0x05b26bc73870b13L, 0x0d4fd62e4a9d0b5L, 0x116288f6bcdb248L,
      0x0cbcf931a032204L, 0x13d7913405d6b98L, 0x0ee4fe5d7134226L,
      0x075dc8c92098370L, 0x1f0a24eba02165bL, 0x032e2473c704662L },
    { 0x01c73cede222c22L, 0x1ec66fe7511da0dL, 0x0c52c850ec195a0L,
      0x1eb3f9d8ee06039L, 0x11204cef284adf8L, 0x19a883fd8e2c0e1L,
      0x02303d534fbba51L, 0x025b7ecfe169a63L, 0x176a3f2d110f18dL,
      0x004fd1403e9f009L, 0x1c2918979fb380eL, 0x0fdb6512ba5de0dL,
      0x0908b0553ad8286L, 0x17922a22f0837a4L, 0x1668f2f88a03e9bL,
      0x1745a805aaf0b51L, 0x06ff63dd9ffd438L, 0x01b5ae6963d3591L },
    { 0x1ff4e20545679a7L, 0x005a0a29063a843L, 0x1fea6d167361936L,
      0x1390b5e3472146aL, 0x0d935a5ea19eaf3L, 0x0d33c506a3aebccL,
      0x1a041d140660de0L, 0x088e9072ef21985L, 0x1c6a21d112f4122L,
      0x08742fc9b528d1bL, 0x00547baa9d37e23L, 0x054f279f3389feaL,
      0x11376a9ab614e18L, 0x0911c4ffa2ac9efL, 0x1117a2863dcf2bdL,
      0x03b91a4f992c1eeL, 0x1d80692f4c539a5L, 0x0046be0a26d9cdfL },
    { 0x09c0d963ecca773L, 0x148c96a4610ab40L, 0x15d36daf59061faL,
      0x0854cf19bfe1d99L, 0x11587b7e7731237L, 0x1852633d4b36c5eL,
      0x05ef7cf06840584L, 0x148f98dd070bf9cL, 0x195e95bb8a8de7aL,
      0x1f0f45ac4c18471L, 0x1c90fb8d1da528fL, 0x18857619a57e032L,
      0x040f9b2b49f3fe9L, 0x039b3e8fdac8293L, 0x1b851ed30e17a2fL,
      0x095b23a60a15d6bL, 0x0028e2c38790400L, 0x02f9554775d5b81L },
    { 0x008d4641266524bL, 0x19c406850cfb371L, 0x017b6841bafedefL,
      0x07cc85ba8d4b54dL, 0x0682e4d60a69e8dL, 0x05a9a6779a4e30eL,
      0x19ee09bdbb8ec3fL, 0x1ecfb57424e0bd6L, 0x12babb27e18be05L,
      0x0cd7e5d4716c2e8L, 0x1cb46b8b674e1a5L, 0x05cc3d4de0dddb9L,
      0x14866e5ae859dc5L, 0x015e69e3e1413c5L, 0x12fa0bf67fc0d00L,
      0x1e449d10958ecf0L, 0x149a316498083c9L, 0x031280d4c5a37fcL },
    { 0x03f7d9aad264086L, 0x119edd2f0725eabL, 0x000a3234f59f29aL,
      0x108dcc9633d04a6L, 0x00aa4536a288dacL, 0x0a9f567d1e48cb9L,
      0x0af4e04c326c3b5L, 0x0eec4500dc05d51L, 0x052fbf54dceccfeL,
      0x0cd4718a7868db8L, 0x1484cf566c5d06fL, 0x003934dfd514a33L,
      0x00b5c4eb10fd741L, 0x08fced2f68d67bdL, 0x17a9619e1266dceL,
      0x0a6355754989381L, 0x065cc9c5f73a1f3L, 0x024bd8aff7e9fe3L },
    { 0x056cbaaf45568e9L, 0x0d07f638c9537c5L, 0x174e6ac94e6bd24L,
      0x109586fb53b7607L, 0x02a0f5b4c86522fL, 0x0e29cfc6466dd10L,
      0x1c0ba0427f1d68aL, 0x17f39a0da639521L, 0x18f31f0443e216dL,
      0x0d534565d1f5ec8L, 0x0343490b001fd26L, 0x1f7f0d536f9c550L,
      0x04d6308edcdd8dfL, 0x03400965202e9f4L, 0x1a841c76be8cff8L,
      0x06fcd85dd7a27dbL, 0x0b7b7ae7e5c2ff6L, 0x00c6a35364f28a6L },
    { 0x08cbb22a78b7802L, 0x0eed924be5d7a43L, 0x1cf90aba2b741d1L,
      0x15699d69c989d65L, 0x0325fd40ac0abcdL, 0x1639a29706c192dL,
      0x1c6e5b3f815c44eL, 0x056e80f4f116282L, 0x070eb06036da7a5L,
      0x1859b7cec28bb56L, 0x0274a5f0a553ceaL, 0x1391b9ae0b5a282L,
      0x0d7bb5e751370deL, 0x103738461f86daeL, 0x04c143517e4f506L,
      0x1fdf221aa9f14fdL, 0x04069e6f8e45a38L, 0x02a822300e9fb17L },
    { 0x1c5c91006cb9cc9L, 0x03a6ba0e8000a68L, 0x18f8448dbee1508L,
      0x1c535abf04f9b0cL, 0x0951fc8339721ffL, 0x068a278e90fdfd1L,
      0x0b9ac73781b9d00L, 0x0cd2084b2d722f2L, 0x03365c8e529ad51L,
      0x1110742cd777f4cL, 0x14c625c30abb8f8L, 0x07b73fe20179796L,
      0x16f532973f477caL, 0x0d15e80d9383a0bL, 0x15e7e4e848462b2L,
      0x1afb7e684a4127bL, 0x04f563a8ff7c6f5L, 0x006d189fe6bd876L },
    { 0x1125a8c15aa2557L, 0x0eb8600449f4e1bL, 0x06519ee2a08f288L,
      0x08f960085490e27L, 0x09e2ce180d3e9a7L, 0x0d75611695fa7feL,
      0x01983554c683412L, 0x0009a534c2de07aL, 0x0473d50d61f1b7fL,
      0x178765de51ef286L, 0x166fa8270a3c9ceL, 0x1d41f0e08cc9c52L,
      0x01731083ef6d7c2L, 0x0a0e12aa56fd727L, 0x058b40d4250309aL,
      0x0521c882ce82142L, 0x0cc620230d81e82L, 0x031b185f46da0a5L },
    { 0x18d52228a7d2e41L, 0x1ac11f5b17c3cdfL, 0x0f75b100b625279L,
      0x0dbc58b35a369a6L, 0x09b9dc38883e04dL, 0x1b86265f9f9c7a2L,
      0x081167665f462d2L, 0x0da3ed36418279dL, 0x1ca3d702558e260L,
      0x0a7ecbb930e8dbcL, 0x1abea16850dbe8fL, 0x1d317688780ead5L,
      0x0ce558f6be369b3L, 0x1c5647c4fe728c3L, 0x196a9cbac3351e3L,
      0x09d60d00e9e6fabL, 0x0ed295845c06854L, 0x018354c38f8b344L },
    { 0x0451e9d634ec136L, 0x193e50737b2c7deL, 0x054b036d04807b7L,
      0x018b7fdccf537c0L, 0x1a2d602387b6ef2L, 0x17dc4c9a94191c4L,
      0x10b79839593631eL, 0x05695e457801593L, 0x128e6f63182a9d2L,
      0x03ae380fa99380dL, 0x1063e2081d7e470L, 0x051a37d54a23edaL,
      0x176e72a13df9fa6L, 0x1bfa600e2a8f3d0L, 0x12756224c18856dL,
      0x0f9a8e3574e6327L, 0x0376443ebe058e5L, 0x01419d620f4081fL },
    { 0x0564b868da5ec5cL, 0x0ced40e046d923fL, 0x1c2e315e9ca2b0fL,
      0x0f3a687b853af83L, 0x1dc603393512afeL, 0x1d0ca0da1c7267fL,
      0x01125f5689c0373L, 0x1cdabe647f04e64L, 0x11b87a58e1393c6L,
      0x05b45e8825d5218L, 0x1071691c8ad35fbL, 0x152e40d6bf55813L,
      0x169976327ef42faL, 0x043bc3ecf0ee5e6L, 0x1700645956ea790L,
      0x06a717ab38eafbcL, 0x103673020ed0bcfL, 0x009066a2a524eb1L },
    { 0x1fdb8f4cab0f9eeL, 0x01f7816672c7775L, 0x01056a341996f00L,
      0x0d372aeee936d4dL, 0x0721ab5c642ed3aL, 0x1278699ef243f82L,
      0x17737bcbfce0086L, 0x1e57a2deab053b7L, 0x12ef05b4b0e93dfL,
      0x10fd50905e4d760L, 0x0b8b0b519fea4b7L, 0x1ec8bd667c68cdbL,
      0x168f0103cb758daL, 0x0df01218533d6cfL, 0x10152f0547da4eaL,
      0x066ddaad3092dd6L, 0x03e8ef1677e7019L, 0x0010e7e8b3fef75L },
    { 0x073715fdf5c36f3L, 0x1ef1beb25692a2eL, 0x1443cb3ddc4dc0eL,
      0x0e1e732790aa6d1L, 0x104ae4ca1e5ec7bL, 0x1dd8c5fed8b3bb1L,
      0x0f568363dc5f8f4L, 0x16aa4ce0e7ecc68L, 0x1faeb52ef156008L,
      0x0bd6afc91252387L, 0x1b8e47b4aad46aeL, 0x1caf32e860595f0L,
      0x17fd0ae28adc0c7L, 0x1fc76ace6447d40L, 0x04a2eda01f08b7eL,
      0x12b46bbdb8463d6L, 0x18e71edcd9ca205L, 0x003932da3639e7bL },
    { 0x1dd99f0bd66232fL, 0x157c4e2013b8b39L, 0x17e96e183f13166L,
      0x14f5287e775f04dL, 0x123c428d239ea8aL, 0x19dcad07070d8d2L,
      0x1d4ed57a838e9a5L, 0x03fd47339544aaeL, 0x0f8adf72f06957bL,
      0x1c4f9a09de9a181L, 0x1c9f43e290ea5c0L, 0x18115b5ef2de667L,
      0x1b49c12aa2cd9c0L, 0x1d056374b6e6524L, 0x110203b76237bb9L,
      0x1e97b1e8eaeba0cL, 0x16c6e9d667d0cc2L, 0x01b62baa598e8a4L },
    { 0x120046ef323d84bL, 0x088913f3c4e27c8L, 0x1d3a486e01569a6L,
      0x1500f32e9c961d5L, 0x140f8c796339844L, 0x16f7a4e482a3353L,
      0x192e8706343df35L, 0x18aa52fb4d69647L, 0x11c09dff3c41800L,
      0x02483ad9bf7b3bbL, 0x10e9014144f7b5bL, 0x05d2d6162e0b529L,
      0x14c48af5ae3d674L, 0x04ac116f603c224L, 0x193653d030054cbL,
      0x0bd6b45bb5bcb82L, 0x04efc8a8ac9a297L, 0x0037dfc308ca34aL },
    { 0x165338e3f45aa97L, 0x1ac640e8207f596L, 0x166c3f7be2e760eL,
      0x15c9ae82f80bfdeL, 0x130a1a237beb071L, 0x12de81cc15b0fadL,
      0x1afcd317ca8abedL, 0x14bc815793ab97eL, 0x0422c326df06612L,
      0x090f34ecab8d714L, 0x02c42c8f4d0d3b2L, 0x12af3b40f266f91L,
      0x013619cf4d96d2eL, 0x0caf77d0c19ea35L, 0x0fa3c3b6746594fL,
      0x0b56254fb082340L, 0x1ea5e64295304bbL, 0x02f4e507e8f87d4L },
    { 0x1d54571197c5dc4L, 0x1205ff3c54ad12dL, 0x1bf3ff6c3acb8b6L,
      0x181a2e8cf8cbf73L, 0x0758c6a3e952dc2L, 0x01a54d60fe4e3deL,
      0x12d5bf1e558b350L, 0x1164dc6df7cc3ecL, 0x06adc4b9e1e8472L,
      0x18b2fe9d47cd645L, 0x04e9140f8f804dfL, 0x0a26cac8f1c6f79L,
      0x17064ddc77eacc5L, 0x1b49b48a699c8b8L, 0x0909299d6cc6371L,
      0x0be68d363e38e6cL, 0x0f88cc2045b4995L, 0x04a031159e341b5L },
    { 0x110ccb70d997973L, 0x0b12ee9fc788aa3L, 0x13556e5eaf54ecaL,
      0x14ce7c294b19e18L, 0x1d262246c6321e0L, 0x041d8882a0d7ce9L,
      0x14a9379b61d51bfL, 0x16c8fd2fb51e02cL, 0x00f82b3a6ad9802L,
      0x0d5203ad74e2259L, 0x1d778b3b4afdddaL, 0x151492f481b55e7L,
      0x083c23ba9c1ef1eL, 0x18c851641707c30L, 0x178cda362a66293L,
      0x17ae3c56939199fL, 0x1b6b9f49824bde6L, 0x0405d8b323c2df6L },
    { 0x1e575fefd145cb5L, 0x172b0d62f344182L, 0x033e1e4ec9cc557L,
      0x1c267646708c3ceL, 0x02a7ba079f1553dL, 0x18437d17dcf061dL,
      0x12e4f0eff5aa0f9L, 0x17b6d750a011769L, 0x10b66d78976f82dL,
      0x0ad37fb2a75a4ffL, 0x1748dc7c82cc89fL, 0x1384a9c539b99acL,
      0x03cb118ff979ea4L, 0x062c0005b24bacbL, 0x031de725a566377L,
      0x0b46b2a20f23022L, 0x150edfc154863b8L, 0x003bdd2f5209091L },
    { 0x13a38d3cdd86f61L, 0x10a228281505585L, 0x171601b409c90c4L,
      0x111465e21e3225dL, 0x0e80c76001dc1f9L, 0x127459dd8e98e88L,
      0x127bb51bb1f97d1L, 0x0efaad35e6d357eL, 0x09d286ea72cdadeL,
      0x1f38106a2d6ac90L, 0x148db98a66b9fcaL, 0x137ba7eab80f57cL,
      0x1a52350e80c9317L, 0x17f83ac3409c4caL, 0x1ce594c24049972L,
      0x0fa42b6790365e8L, 0x0e2baf7581d9bc7L, 0x03590036fa2c8d1L },
    { 0x0fe50a8965b1bc1L, 0x1a9b54b15da7ed9L, 0x14cc0039fe664c7L,
      0x0aa7aa24bdaae31L, 0x12125caf84728f2L, 0x1fb3cf27c530c26L,
      0x1016953c69c04d5L, 0x0eae153e8182a63L, 0x110d0cb976fa8b7L,
      0x03b7a0f4ee09674L, 0x15e9d49d57e252dL, 0x1c20c4ae8348b91L,
      0x18c917b16cd6c12L, 0x1c6b5850131537dL, 0x10e3a0c93445b98L,
      0x115f9092a818065L, 0x150855b911c6686L, 0x02990bf535e935aL },
    { 0x0840473259f52b4L, 0x0d4e5f3108a367eL, 0x017b2b2f49ba5a3L,
      0x1bc94a86892c9d7L, 0x181a4ff7ab7daa2L, 0x040af7b6e1dc241L,
      0x0c78681ea5acd07L, 0x15189f5d3d187a9L, 0x10f938d1e42ce9eL,
      0x193ed661ae60297L, 0x180727a681bc1e9L, 0x1b9694dacb43903L,
      0x136044a9a6a9e08L, 0x195e94adfc7168bL, 0x1e06c4a6624f743L,
      0x01585411a66f3f2L, 0x0ef64bd60016183L, 0x001c3498f6cd6dfL },
    { 0x0d7abb3d09885a5L, 0x095b3f1aadd83e8L, 0x033d4dbaebb7b67L,
      0x10d339c9ac77847L, 0x111594cd61ca2e7L, 0x18b5691aa7fa238L,
      0x1d711572f9c240cL, 0x080830cf3fa93ffL, 0x075bacd750f9c6cL,
      0x1bf6e4414b9390dL, 0x05a21f97bd40bd9L, 0x06cf7e641c1d04bL,
      0x0f8bbdccb2459e9L, 0x1bb3431ec0e71b7L, 0x031b6e06e825ff2L,
      0x0e9179a7443adabL, 0x0200e4967cdb4a8L, 0x016557ba48a820eL },
    { 0x0f980066ed20424L, 0x0751191238aa2a2L, 0x0695e06a321acf9L,
      0x0af5cb6e164d1daL, 0x156d398248d0ab7L, 0x198fd2365459901L,
      0x173ca73a39a04b7L, 0x1bd7213a465b24bL, 0x1302c8f78f56723L,
      0x0b92eb4d5d64b7cL, 0x091f295f4685c04L, 0x0a23831457cecadL,
      0x11ad50d9d96bb5dL, 0x18582a8c5ab722fL, 0x163fe44dba21b89L,
      0x06c3d8f8e3e7a13L, 0x1d865a1bbe29350L, 0x0436bfa9922ff1dL },
    { 0x1f16eb6b0bf719aL, 0x1a84c45e1ec89ccL, 0x19489b3406d2da5L,
      0x0921131a39f5ca1L, 0x087ec666d3e3ac5L, 0x1522dc26d1dcedcL,
      0x0c16160c01913efL, 0x0266d3e77b306abL, 0x10fb239a8579bccL,
      0x1ada29cb715ec08L, 0x1ceebc90663f493L, 0x0db7106faa3a00fL,
      0x02eae75b1668a67L, 0x1edb041e3477753L, 0x00db1697ff97e50L,
      0x1ff0aa5929a1efbL, 0x0dd5a4c3c6fcbc1L, 0x034152af1c3605aL },
    { 0x0f235a4587495aaL, 0x101361a63922ee4L, 0x1316dd691b8c89dL,
      0x0bd987cbcfad5c1L, 0x14296629890d396L, 0x03b9138d899a178L,
      0x09a2f22649f9a2aL, 0x0342a87e4fc4649L, 0x06c44768449cdc2L,
      0x1e3fea78a296856L, 0x0c28c7fd2c11726L, 0x0d410a5eec22598L,
      0x12c6fdd7a6415d4L, 0x1da63e48d6b9b82L, 0x0235c3373b30eadL,
      0x0720ba59be036edL, 0x1cd054f2542e40dL, 0x001113fd37f7f26L },
    { 0x005efd9b751948bL, 0x176a37efe912e8cL, 0x18253cb22c8a3bfL,
      0x1f2def8bcb96251L, 0x14cbeca09d1090bL, 0x04658204ace8225L,
      0x13f38872557e638L, 0x135783e4f3ad1f4L, 0x0b021e14e0710aeL,
      0x068b74fc408b3faL, 0x1708baef27c6959L, 0x0dbfc6841dd5eb4L,
      0x15d5c4e8435f371L, 0x147fdd40cb8f5c8L, 0x14dd5e193f157f0L,
      0x18fa0684fca9afbL, 0x178446e6a6215ebL, 0x02a3f124d14934bL },
    { 0x106868aa1ffda27L, 0x166e63caae7a823L, 0x0784298fcf62d39L,
      0x153bcbce15eca2aL, 0x193428235b4127eL, 0x17bea89e9604dd7L,
      0x100946326760ea8L, 0x19d418b763bbbddL, 0x07ffddf8403dcf1L,
      0x0bf2694b0b7ef6dL, 0x1595a5e4ca87c39L, 0x01d06323a9c7a48L,
      0x01c220218b7475eL, 0x05e592829a3cdf5L, 0x184cb9bf3ad7242L,
      0x183d638d0b9d478L, 0x0eac42dc745bfe6L, 0x022d20e60695847L },
    { 0x0a9b2c74dbbf0e1L, 0x1cb17d0be7b871fL, 0x1d617bad319907fL,
      0x05537d62fdb83d4L, 0x0285741a4f5412dL, 0x07e88f964f27a95L,
      0x0613a4f7df69261L, 0x0eb655f7bb81be6L, 0x096323d252421e3L,
      0x03df0f224efbc0fL, 0x1807b4f5626fab2L, 0x137a51ffedba28aL,
      0x148a0f298c0f0bdL, 0x0c4734a216992ceL, 0x0b0abd8d8b5e9dfL,
      0x1b40550980d6d6dL, 0x0c8ba850ac9d087L, 0x00943b1e4a17720L },
    { 0x1a80f07acbac178L, 0x100221a5847b714L, 0x1451c3fb7b49f30L,
      0x070cc2aecfd2c63L, 0x0b088548b2115daL, 0x174701be3afae26L,
      0x05d496ca7484e68L, 0x179fd3fb4cd1710L, 0x13f1d8d88c1de7eL,
      0x03b2b2f0190c091L, 0x195586c72657cedL, 0x1631627d6e360e6L,
      0x1399b3a0eb2160cL, 0x1907e6ba3f46d28L, 0x049b5c97a3287e6L,
      0x0c6fed4fc00cf68L, 0x0d21e8204b768bbL, 0x03af4b5e67e27baL },
    { 0x09d1fdc0d19716eL, 0x0282c3e1c22928cL, 0x1b47aa61f4ab7d6L,
      0x06d80e2a1ec9508L, 0x0d6fd5b712b6bf8L, 0x09faafc8ec2ea32L,
      0x044a6a5e220d93dL, 0x090c01077b102a1L, 0x1a7672683ea876fL,
      0x005973d60ad9244L, 0x1be3490b47664baL, 0x00539e7bc92530bL,
      0x1cb14876279c57bL, 0x0572db43ff017c1L, 0x1ae065abae93f92L,
      0x0a47b150de136baL, 0x149d88f566ba16eL, 0x0184d374d5d1344L },
    { 0x127ee50bdfbe97aL, 0x1f387dc628626f7L, 0x0c05ff827d70697L,
      0x0b7da6d98b98f7dL, 0x1550ed3a8fa15a8L, 0x084340e061d66dbL,
      0x1732f1607be1faeL, 0x1d142b666c5893aL, 0x00fbb17141fa264L,
      0x13fc6c7c70f7744L, 0x133f58870ad8f49L, 0x1cfaa77cfdfba63L,
      0x1fdb2a358a924dbL, 0x1aeb4560ea1743bL, 0x13fa9573e59cf1dL,
      0x16405c6b2f1fae2L, 0x189eeb366535769L, 0x0022c12c56bac9bL },
    { 0x1f71a74a042dbdfL, 0x02c2babbcefd12eL, 0x0e9c34b9995cb50L,
      0x0b945d125c1ccd9L, 0x0f0e6b5f285d674L, 0x03b3e1fab546f78L,
      0x1ae7383ba14768cL, 0x0853180acb08668L, 0x0b35fce26d6b3c7L,
      0x044adff9cbbbf00L, 0x03da9b9edb621b0L, 0x10869e052097079L,
      0x1b2e84ec34bee14L, 0x0b6884c8bfba48aL, 0x07eb302eabd98f2L,
      0x1805200970eafc8L, 0x158a2b880e56f86L, 0x029fa51f04adbb9L },
    { 0x1bb08ce89fc48e7L, 0x062bbd7d5ad7588L, 0x0fe283072d6ae98L,
      0x14f2eaf96de0d79L, 0x163191607d2efaeL, 0x1bdbd4f136c858bL,
      0x1cafd0aa86ad8adL, 0x1e071dd819a50bbL, 0x1d35947f5f3a8f7L,
      0x1e46e077e0e5adaL, 0x0332831161173e5L, 0x1312493c4de5fd7L,
      0x0d483ed89a16e8dL, 0x08ec8839be13273L, 0x17a67c04e8fc515L,
      0x1aac70a02ac5c60L, 0x036aaf98d746908L, 0x0054cf329eb91e9L },
    { 0x1536f46abbc0559L, 0x1833dcd50d0b011L, 0x08a4305a06d7058L,
      0x0226f1d20e453faL, 0x0b793a2d61254beL, 0x12a96de307fabd5L,
      0x028da9bcb7e2d19L, 0x13535a63127182eL, 0x1c5cd9abe29b74dL,
      0x1ba3939fbc24291L, 0x1aa4e83438c18f3L, 0x03c68491c7b1824L,
      0x0e8323ddfafe202L, 0x19931cf3ecb9a1fL, 0x0c955227dda1dd4L,
      0x1efd52ca1f862eaL, 0x1c0b595dbd13eebL, 0x01d4ae5a28087e5L },
    { 0x14e68cb39d7ff2eL, 0x0e5a5e0eae247caL, 0x11ddc5a50e2a374L,
      0x012395b19c05525L, 0x12cd08d27965c0bL, 0x0815ed062bcc559L,
      0x14860696f0f0e9aL, 0x1b6a8ba124aa30dL, 0x0f0077cdbd27e64L,
      0x0abe5524668496dL, 0x1e8e80914caacc0L, 0x073683995746545L,
      0x014744aee6a5fb6L, 0x06dd49ed00b816eL, 0x05e13c5216ed0dbL,
      0x0e58726b2fecc65L, 0x0455d713c1ddad6L, 0x01b3691170185b9L },
    { 0x10b4875573ea5b2L, 0x1200dd486d226eaL, 0x0995e8680c403f3L,
      0x0b9e2288c0f6a7fL, 0x0538bf49722a80aL, 0x15669085c75f82dL,
      0x141f6b850451f4cL, 0x00ecd24e258f6b5L, 0x06dc5fee73f48caL,
      0x0768a4c95c53c6cL, 0x0cc51774bc5d666L, 0x1bc2bf2e371c9d1L,
      0x1dadf1b36843408L, 0x12c995bf02af536L, 0x0224ff52eddb9cfL,
      0x17fb48850e2a7a6L, 0x125173dccd20661L, 0x048395d4cbcef7eL },
    { 0x14de4dd9620ea39L, 0x0b24fe418e77423L, 0x0ec734ea710fefcL,
      0x1e7e7be3aa161d1L, 0x0f0ec9b36a38286L, 0x0e04f1a7683959cL,
      0x0890a9b93261dcaL, 0x175d47d158d15a2L, 0x06ae0e22bfbdfa5L,
      0x10b8f67d8507ac9L, 0x0a21b5ae1c7e355L, 0x1d526bc237b4676L,
      0x007f0f153f6b19bL, 0x1eb6017726c0ad2L, 0x0a23d19f982365dL,
      0x02ca8fd1e47b36dL, 0x02926ac9652439dL, 0x046c9635e9aaa36L },
    { 0x1e0d7ceabeb0ff7L, 0x1a92a1f07217c59L, 0x089b7a021267ef8L,
      0x1e39a89786afa36L, 0x035cfee19ece2e1L, 0x1fac0e0922d6de2L,
      0x0e51e1d3ba103e4L, 0x01522d4ef397b41L, 0x0abcc815afa57aeL,
      0x1d6f616f85310d8L, 0x0940ae07e42f725L, 0x1bc2a77bcc7b7cdL,
      0x1f78884c2554bf9L, 0x05ddaa385447ed5L, 0x014fbd4c2a94ac7L,
      0x04fd5f00a72d852L, 0x1c08d43d8988dd8L, 0x02725f60bae0d72L },
    { 0x18483a2fcc09676L, 0x0251f8cf54d4a5fL, 0x1bcf5c0a977515fL,
      0x05087fcfb14d0a5L, 0x16e35158e7915fdL, 0x0ba3783225dd4c0L,
      0x1c2d6346e57427bL, 0x0bc8ee08b037215L, 0x10bd4bc6bd4fd13L,
      0x16e7033da7419d2L, 0x1a3cc3fd5aa6869L, 0x1001d858c7fc581L,
      0x0598f508a8a9c80L, 0x1949409d224e105L, 0x1fa06880ae532ccL,
      0x0eceec8fc7a51d8L, 0x12472e67d1ab487L, 0x03d2551fab7cef6L },
    { 0x19ef1bae27a0045L, 0x096a7d92165a82aL, 0x0390e73e3493720L,
      0x0b367f38a84748fL, 0x0ffa1fcf97544fcL, 0x11641dad6340995L,
      0x12eddd3e3fb80d2L, 0x14d2d98c81f9a7eL, 0x0775dce9db0512eL,
      0x1ee50cee6e71c0fL, 0x1acfcea74ff9559L, 0x1e8434324e9f83dL,
      0x1428d69b1238e0bL, 0x0fe84efc0acc97dL, 0x06ad77d23f3af7aL,
      0x0d38bb93bf49f68L, 0x1e10cbd7dc8c0a2L, 0x03014153dfbf856L },
    { 0x007e538dceea2e7L, 0x191641e21030ebeL, 0x03e53c7d9458e28L,
      0x178eeed420ced05L, 0x15e6b405f21b69fL, 0x13db21631d1a0bdL,
      0x051013267c96246L, 0x19a70d25950595aL, 0x0f1e82ffe00869bL,
      0x185b8a70b7f2335L, 0x1d0be4640644e30L, 0x0da01f4a2d5cbf6L,
      0x0cd8c73a43e9016L, 0x1de2e1b92aa87bdL, 0x130e7b4b5a901f7L,
      0x17ce1c8f4ea72d1L, 0x1423fd286d94a5fL, 0x02fa574e391e35cL },
    { 0x16a2dda53f4d561L, 0x0a2e80b6d0cc96cL, 0x07eff752c144a1bL,
      0x1b3e432bd489340L, 0x037661b325488a0L, 0x12f701620a8d855L,
      0x0205ee6311c7be7L, 0x015497950dd50cbL, 0x1bbcadb877a68fcL,
      0x059a324b5b9b354L, 0x1a6350559870b62L, 0x098d9202841865dL,
      0x152f2752aff5b3bL, 0x088726ce511a939L, 0x092aa00bd9339cdL,
      0x14a072734fe4d59L, 0x1d29cd3e291401aL, 0x049500a11ee2357L },
    { 0x1f24be11c2f7dbdL, 0x04807dbea93fd74L, 0x16ee1923c4a36a3L,
      0x04902832832c7c4L, 0x1a6756fb9ab713eL, 0x06c85ef43fbe80bL,
      0x1aaf49d37617816L, 0x12b047fdcf504acL, 0x09f6230d7742401L,
      0x02bcf96565af237L, 0x09898c5a9321f81L, 0x1487b33610ae544L,
      0x03e488789e9ca19L, 0x0a0361dec36e15dL, 0x18255fbe582d6e6L,
      0x0a2b6de58851712L, 0x19b90748706161cL, 0x007e47f0f554465L },
    { 0x0ae1bedfeb90f2dL, 0x1dd9e52458aacb4L, 0x1e73d93a58d7ce4L,
      0x01f17ceb8457cc5L, 0x1e6f7529354c241L, 0x165598debf5381aL,
      0x1cfff09921a3858L, 0x0fd62723ce190c1L, 0x1df367c751d8983L,
      0x0a85b5a15f994a0L, 0x03d1b9e304c63f8L, 0x1b57458962c12bdL,
      0x0e701afbf32b3f1L, 0x0f443a62e3667aeL, 0x11b72f8eb49d4c1L,
      0x125ba7250bca2bbL, 0x09f3c954d86d998L, 0x01685d4316fe9bcL },
    { 0x0cd8ee8b472e1afL, 0x0a7575bb55de675L, 0x0fe34364fef7acdL,
      0x0ffcdf8e0d36a41L, 0x04ee2f39fccd60dL, 0x00f28f549a9eef5L,
      0x19ddd7ac2497a6aL, 0x0d3dc669b43a26cL, 0x0c1d28c9fd5354dL,
      0x0bb8baac952f6aaL, 0x18d9fedfdc3606eL, 0x1d9552675cf4ba7L,
      0x19e23cfbb77be7eL, 0x04a4bb40932678fL, 0x0d88d6c344a7d2aL,
      0x0edb4e0a6eb4813L, 0x1fcccf64c7548a3L, 0x04b1e438926a0edL },
    { 0x0e290cbde36a814L, 0x180cab99d895addL, 0x019fddff83866f6L,
      0x1a52e419d41d75bL, 0x1029ec720a7d19fL, 0x08c88f21a6bb28cL,
      0x1fd8215abfc5eedL, 0x00da144bb35b014L, 0x0ffca86aff848c1L,
      0x1f45efca1d6ba4eL, 0x180a138f9a5aed4L, 0x0615dddc842bf73L,
      0x1e2ecf3c633eb66L, 0x070060604ec7ddcL, 0x15efab1c7693fe9L,
      0x18fdf652d7cb2baL, 0x1bd1751fbada8ceL, 0x01681f59e7faaebL },
    { 0x116925f04f2ec1dL, 0x0793b068a3f7175L, 0x1812ab676782a1eL,
      0x167ee206b6885beL, 0x0cb95d5b891df44L, 0x147691e1413959cL,
      0x1cf8dbc53bed57bL, 0x0bde7888c1e2761L, 0x0889f9bd76bd733L,
      0x04f73b8fbaadd37L, 0x0613fbb4866db22L, 0x0e6fd85dc822c4dL,
      0x0263efcd372d44cL, 0x131bc135dca1c2dL, 0x19ade9f6424c86dL,
      0x0c36f849f14f27dL, 0x0d9a3ca8d24a7cfL, 0x042172060e2a5d6L },
    { 0x0268ed6a661d843L, 0x1466527ad9866adL, 0x1b444c4785dc08cL,
      0x098cd2b2ce2dcdfL, 0x17b2e280690decbL, 0x1f21685ed62dfb2L,
      0x128be09fe0b287bL, 0x00d8aa9d81594bfL, 0x1ac5276c1dde455L,
      0x1fa65847183ba89L, 0x1db66b321e5f32dL, 0x10281b2665a5195L,
      0x17285a409fd5964L, 0x1111e849e635714L, 0x0a3f025ddcf0a95L,
      0x1fcd85aa4cd58a2L, 0x128a596b7cbbc31L, 0x0073198cd656489L },
    { 0x1cd2fadf0360ac2L, 0x1306f142f302d5aL, 0x1c43896e6c521adL,
      0x1b55358aa9058d9L, 0x126c070e9d5fa38L, 0x0662969efe78dc2L,
      0x11fd40de6a5acffL, 0x143c6cb385217f9L, 0x15b1a3db569d3e6L,
      0x00a945acdbda16aL, 0x17be92708a801adL, 0x00313699c76d269L,
      0x04b3abaf3290f38L, 0x1fc1c4f15839de0L, 0x0968d6c9e96888bL,
      0x14f8416f53aa3ffL, 0x05a4939ecef28e1L, 0x04441ced10c3938L },
    { 0x0b66c30701ce29aL, 0x178932c4c0ea82bL, 0x1030417e7c84eb2L,
      0x0c6e7c7a27a9b5fL, 0x1a2ee3cafee571eL, 0x101c2d73934e437L,
      0x1a6b3d732992b74L, 0x1de42fe4eae6001L, 0x0c934db470e7273L,
      0x14a7a7b9aadb3bbL, 0x08dae5bf0146010L, 0x03b760a432163f5L,
      0x10e9eaef528f88bL, 0x0db40dc81abc8dcL, 0x0570da7cdfecbafL,
      0x0439273a14a3a88L, 0x026fc59cca71d2eL, 0x03209467f50fa86L },
    { 0x03678a2e8f5b0b5L, 0x1124e69a0782cf8L, 0x11064f29f3b171fL,
      0x0d79075f3082880L, 0x1aa8bbb0075ca34L, 0x01187bf9cf8019fL,
      0x1cd14f463c3b7ceL, 0x0eaf1bfe019a891L, 0x1849228c0d51aa4L,
      0x0a7138418649468L, 0x0e9a1a3c4b3f4f7L, 0x13b71167440d8cdL,
      0x19016dae0109104L, 0x1129f1beec32e82L, 0x1a61c6d1667a417L,
      0x0265c6459e184f9L, 0x1da014f54da174aL, 0x049b1a504ded5e5L },
    { 0x0826b27a9a2e304L, 0x10c3360d2609231L, 0x00c888e05c4315fL,
      0x0b5308f9fd22757L, 0x0b5f46fd7e9b6b8L, 0x1c733694b2ae789L,
      0x17aadca555cae00L, 0x103c9974c02df52L, 0x0bbc11071b9dedaL,
      0x1f8004d1f8e7b0fL, 0x09ddecdcf833ee5L, 0x0139a273ac76a6eL,
      0x1a4f87d78e302f9L, 0x1a0243b18f6b396L, 0x1308ac8d881de8eL,
      0x1ddcf8811865b3bL, 0x17e4b4c5bf226deL, 0x013365a33de031aL },
    { 0x1aa4154b56363e8L, 0x1e83c1e0d526db7L, 0x1778ae79965d2d3L,
      0x1df4009708286b1L, 0x119911a65b34ae3L, 0x1b5fbc67a259767L,
      0x17255572aa0ce94L, 0x03ac0dc3d7310e1L, 0x0e3c3287d09f351L,
      0x0597a75ceae79b2L, 0x13a2498eae3279aL, 0x051d86d56c2382aL,
      0x0ba1b7d12015488L, 0x098adc6b84995feL, 0x11ceb05fb9ed6f1L,
      0x055e6f05fa1a3eeL, 0x0e1bcb029a83c8fL, 0x0258ead0da922a7L },
    { 0x0fe517463d52c0cL, 0x0a92f0c4604ce89L, 0x158cd838e558dcdL,
      0x1559f4b486b8c42L, 0x197e810788b3f1cL, 0x0f040548091d053L,
      0x16b6ae8c7dad6c5L, 0x191afbcbc25f947L, 0x03287361b0df511L,
      0x064006a32babea7L, 0x043cf5481fb245fL, 0x0de261dd41c6210L,
      0x133ea5a2ec0d4e5L, 0x1f355de85dfbf70L, 0x02fd865bf01dd8aL,
      0x1a8559063fb9c24L, 0x127e07439fab622L, 0x040c35c9fa84725L },
    { 0x019d15409312867L, 0x01602dfd7beda63L, 0x19a07d7d7769f81L,
      0x0f49f87b05839e2L, 0x0e68b8fe50aa505L, 0x1a6b22769876b2eL,
      0x0125fb2c0702efaL, 0x038f6bb88890638L, 0x1351e6a009b7d9bL,
      0x1dc31dceca3be48L, 0x196244175044292L, 0x19e886b016f5574L,
      0x1690be357e30086L, 0x13da90a7589ce03L, 0x10ead5c4afffc68L,
      0x137f4f39f8dae45L, 0x12a4743de57f34aL, 0x005fcbf4be4f715L },
    { 0x0ec4ec8dda19e96L, 0x10c7536183745cbL, 0x04ad97da4629533L,
      0x161b341b32fd06cL, 0x02fdcc091ac6f68L, 0x1e1f09cc534bd23L,
      0x05cc1973897c656L, 0x00c312dd9b56727L, 0x19eb81a0f32f128L,
      0x1eba0b70e96e3efL, 0x11e5dab51cd6674L, 0x15353ebde873c45L,
      0x0b9e69d94e3de37L, 0x054e85e435bd605L, 0x1dbc4839afea780L,
      0x1847eaed50e1aacL, 0x0bb3bd91bb4feaaL, 0x047f2a4161f2055L },
    { 0x1ae67c2ce9a4d1eL, 0x15c01a78e901c42L, 0x1ce89741864930fL,
      0x1a611f6838b8d91L, 0x071c294e803de0aL, 0x17586d4cb0fade7L,
      0x1a2db71881e37c0L, 0x11f90fdea2b6c95L, 0x169679f1e50b4d1L,
      0x0e004d0a90ccfa1L, 0x1212f83d90297f1L, 0x176247b56acd4faL,
      0x0c64275d2c4c918L, 0x05696f6b533e08aL, 0x12d723656a44ee7L,
      0x077ec313da316d6L, 0x03f4aeb6206b42dL, 0x01c946334dde45eL },
    { 0x04bea4adacb4b64L, 0x115227930bcd0efL, 0x0539ea444a900fdL,
      0x1ba6de663de7559L, 0x007b85c490448fbL, 0x10dbbda130215e2L,
      0x1a6116b62965884L, 0x01a62ce949ecf9dL, 0x17fae8bbe4e3b2fL,
      0x00efb6ed3e49875L, 0x1bea6309674351aL, 0x13cd7d4383fb5bdL,
      0x0b21d405d11b14dL, 0x19c493aa1dd56e4L, 0x1c73793c077fe4dL,
      0x1a1b30386b67de0L, 0x0f61704d2e19150L, 0x0366644479aa89aL },
    { 0x0d36f0e7ad7504cL, 0x1932ffbcaceeefcL, 0x1b7bfb799eaaf28L,
      0x1d75d7e65e1b9a3L, 0x014edcfc1276f4cL, 0x16c75bb412d3730L,
      0x138782e306a0a66L, 0x034624049521371L, 0x0cb8fd98b9cbd35L,
      0x04209bc7d58f45fL, 0x143d74e5cf2b3e9L, 0x09084b3aa4a82fdL,
      0x0374b91393a17e1L, 0x0d651e74a9eadc2L, 0x103e0563de4ac84L,
      0x1af7a06bfe22191L, 0x0f96afa6357ad4eL, 0x0178a8cc05937d7L },
    { 0x08631da29d2d439L, 0x1dde15e01ccaa86L, 0x1e49b016dd6c487L,
      0x016d9c8fd87cb52L, 0x1d88c6586d6cf4cL, 0x1aad0bdd550bb3cL,
      0x16a140c76e79fccL, 0x1bf0703c7b015deL, 0x1c71db29015a31bL,
      0x1c7b5ba4a4c7ebeL, 0x17cfe44efbbbd98L, 0x04e3e956cf6689dL,
      0x10fd22df11e6173L, 0x102e27491d10163L, 0x1ae6483def80e24L,
      0x095543843210b51L, 0x1656c805ce8beb5L, 0x01aa582db8562c6L },
    { 0x171e2367a9170e9L, 0x16216a656a866b8L, 0x093cf37733ec07bL,
      0x074cd95c35ff7d0L, 0x165c7d01a73e8ceL, 0x1ecb8f5b89c53fcL,
      0x09cac001638fd70L, 0x0dea4b235865fe1L, 0x0a32fb5bcbbbce7L,
      0x1920d5c54fc0d0cL, 0x14cccbb29a18c3cL, 0x13f88905e277e63L,
      0x17a4681be2847afL, 0x12af7e7cb0cb710L, 0x0b31c1664e3e4cbL,
      0x1f5847cfb5970e1L, 0x1a1d41be893cf09L, 0x0246e2ae2571a91L },
    { 0x0623826a5092193L, 0x161b1344c4b8647L, 0x1abc9727ad0791bL,
      0x01078fa48a5e26aL, 0x17d00e384178064L, 0x090a8e4c16f7b3cL,
      0x021a4e0badb9e94L, 0x0042a9c20ef15ebL, 0x0187070758a51cfL,
      0x0f5d4fbb8989e2cL, 0x1ee5cee85564133L, 0x1e963a1af674bacL,
      0x118b8af2cd851c9L, 0x0c35c6b10cf94ebL, 0x0ee70cf2e5333feL,
      0x118d10e4bc49772L, 0x021405ce4c566e3L, 0x02fb5476e85b6e0L },
    { 0x1704ca58f9a8690L, 0x14bb317bb5203c1L, 0x1631a48040a0fcdL,
      0x0d79c7499ff7825L, 0x04aab26d4cd58f1L, 0x122bd43c0233250L,
      0x05e500173eee93aL, 0x072a6f2a367714bL, 0x14ca2b9e44fe1f7L,
      0x0214566ef992bcbL, 0x168d083a890f6f9L, 0x0c57e879c03cc91L,
      0x01f27db490cce65L, 0x05fdbe784207821L, 0x01e5f4c55b32dc2L,
      0x029773666901ab5L, 0x1ac2e12e07a9eb8L, 0x00e532839653fc3L },
    { 0x1b321cf2b9d25a0L, 0x1fee52053a36dfdL, 0x0c39678da2d59abL,
      0x08fb000d1f8382aL, 0x1647dd6856ed1eaL, 0x1bc6d44dba6c7f2L,
      0x0ce44765ad41e26L, 0x0be736ea487177cL, 0x0ef8d443e0d858cL,
      0x0e96da4cb23551aL, 0x14ef47999d50f13L, 0x0180d130130aff5L,
      0x1249facabad0d71L, 0x0a7cd0c94fbd7f9L, 0x0cc1e841577b070L,
      0x1fec9594cc7323fL, 0x0eeac44fd9135ffL, 0x0231657db65d69eL },
    { 0x060a647de3237ddL, 0x19ae6415c3a020bL, 0x1d6777e957e257dL,
      0x1ce4d72295ef0f3L, 0x1c93e29815ef043L, 0x18c1988c3a9c9e8L,
      0x084ae868af9d1bbL, 0x0fe9cfd1bf84b53L, 0x1dfefc97da9c391L,
      0x043ae8185175f20L, 0x1748d69ccb4732fL, 0x0ffdb3754da61eeL,
      0x0b65f4857606feeL, 0x089fc1e0553c27dL, 0x03e744c8c557889L,
      0x1d5fba5f6ee307dL, 0x0082a291503b546L, 0x00949e4c6366c9bL },
    { 0x078125149d53b77L, 0x1a01ecb757d63b9L, 0x1f6d28dadc469aaL,
      0x110fcee3836faf8L, 0x13b375228238c70L, 0x03a986a4afb55f9L,
      0x0446ac2c0a27232L, 0x13d9507970dcef6L, 0x1be1c0fb8a1bd18L,
      0x067d97d8d74ebe3L, 0x108f1525030fa16L, 0x1c82e95b220fa0bL,
      0x05064e714216e79L, 0x1efeb0a7d0523f8L, 0x11a622f1a4a7353L,
      0x11f63db64b09872L, 0x0ba73e4b5f3e46fL, 0x029dbcd50b4754aL },
    { 0x16fafce44bbb6a1L, 0x0ddd033c10b9410L, 0x0cc2a7764e6b4e9L,
      0x1be33df5fdde3c9L, 0x1b4ec014022eaf3L, 0x16339c7f6ad5e73L,
      0x02689925a3b9944L, 0x00a462330d253fdL, 0x00d539d8d47397cL,
      0x0005e2a11a2cb62L, 0x01fd614d1984759L, 0x120793abb41f725L,
      0x17c83af2a804099L, 0x1940a8f0f2f7a4cL, 0x10044132277006cL,
      0x0593a2a1f6952b0L, 0x03340a6f7d5f387L, 0x041486b68ab6174L },
    { 0x04637c6d8546946L, 0x1a51cb4f62bfd7cL, 0x06935e2401fb684L,
      0x1c1b8f7013a846bL, 0x0d6784a9b42557fL, 0x056daff31572969L,
      0x1f29689c532982fL, 0x02398411bcc6755L, 0x02380ed5ced9678L,
      0x135aaf4ed990b30L, 0x0b40b299d48d69bL, 0x1df3667f41c237dL,
      0x06f06a2a0851cc6L, 0x1623d9e7fe911f1L, 0x0aa613803cccb87L,
      0x05c288b3e52f741L, 0x1b06fa1d969ee95L, 0x0283778d59827d5L },
    { 0x1b4eb2735bff163L, 0x05cb7f54fd4c208L, 0x0cfe77ac9f39c4cL,
      0x0b3ba387aacd59dL, 0x073075aaa2daf1aL, 0x038dac7a84853f5L,
      0x0b670da9abce78cL, 0x02d451ac67bbee7L, 0x0dd354cacbdc89aL,
      0x1f51a11ea6e5e1eL, 0x11d348de764b477L, 0x0adf1ddacecadddL,
      0x03fa8feb1fe14a4L, 0x1cc7e5e3fd5f3baL, 0x069c1b8501333e2L,
      0x18cf0d99a5f7feeL, 0x144daaf3fdb4d85L, 0x020adbedf8a9001L },
    { 0x10105867d8377a7L, 0x11eb465c019394bL, 0x0a27c0e930c81a2L,
      0x1b2791e521facfaL, 0x09e5a2b84bc7095L, 0x15cf9db897d09e7L,
      0x1530bf1ab1b183fL, 0x00219b46db2dc1cL, 0x14549975186320aL,
      0x098c648cbf80788L, 0x1130ff9a4d9423eL, 0x1df30be0d15403bL,
      0x10a2b5511c769a2L, 0x1a0917029a91677L, 0x1d750fc01a597b6L,
      0x03ab3f9c1f5f982L, 0x19d525dc9bdec83L, 0x00f618a78d7ac43L },
    { 0x063feef2c8310c2L, 0x10a6d22bf1fba03L, 0x03f394d1a21ea9fL,
      0x1ec6fd858a72562L, 0x1542f8dfcde4a38L, 0x0f0b88a83b99905L,
      0x06f18d04c0be7dfL, 0x0de031638c75c97L, 0x0f001c46edd2f9eL,
      0x1dd854b937667d0L, 0x06e675dd1b831f4L, 0x0defeb0eb5d9526L,
      0x1c96939c82e0c8bL, 0x1ef2d3325d9978bL, 0x0afe9add944d748L,
      0x00bbce326d968a5L, 0x188ad5cc08f2dc1L, 0x00bf48e893fffabL },
    { 0x092ced3b7e051caL, 0x06a7e8ce3bb6a5fL, 0x0d480219e12f191L,
      0x0f9d3ad66391569L, 0x1289e9c73ea6622L, 0x150cf71ca924d1eL,
      0x16bb15142799744L, 0x01d4f7a8d25186cL, 0x1354997e477963eL,
      0x0bb2cabdaccb996L, 0x012bae47528ed83L, 0x1d483bd67c5132bL,
      0x0d572571df6e653L, 0x18c570fce53e4c7L, 0x1dee5fbcc068e3eL,
      0x141aa2c53ef84c7L, 0x001df242282afc4L, 0x008c79da59eee86L },
    { 0x0a0a0a87ad4762bL, 0x1c26d462c68babaL, 0x058133ddb6186bbL,
      0x0cfcc1b3162dfe9L, 0x1ecc1dbac0be878L, 0x0b0a3d41b1bffd9L,
      0x11b970912982577L, 0x00b47c2f068b610L, 0x1735eb686e77a4cL,
      0x1e0c5a7efbac34aL, 0x06342c6f7f94bd6L, 0x181a00e2b7422acL,
      0x1ac2dd617f878ecL, 0x10db0b880edede8L, 0x1d64f08874ad8c4L,
      0x0e048459d14f289L, 0x1273b9b536a44f1L, 0x000e8533e4681f3L },
    { 0x19642361e46533cL, 0x1bcc87dc461573dL, 0x145a90b12863a51L,
      0x1bb078f48a0336bL, 0x0cb663e37135e81L, 0x1606b1ba534deeaL,
      0x03699ed9fb36f9dL, 0x01407aa8a4223cdL, 0x1596cceb5d2e865L,
      0x0ab96fe95781d9bL, 0x192e87eaf5654b3L, 0x08ad69db0ad2a46L,
      0x12c950d5d47f47dL, 0x043717c22d6c5abL, 0x1aec1132b74b7e9L,
      0x011cdbaa4f6878aL, 0x00fc9adba24997cL, 0x00db12d833ed319L },
    { 0x0dfaa7b4fd8446dL, 0x19780d7b7f5f5a2L, 0x0e23fa20e2d7006L,
      0x1f7752eb177e888L, 0x07156bc9f33c434L, 0x0484c595cb8e5d4L,
      0x11775ac9179707dL, 0x1af0fb96a685683L, 0x0db1f80c634d852L,
      0x0b7192c1219ed1aL, 0x008194fdf7c309bL, 0x0cf86c1966cbecdL,
      0x029826656ac4ca5L, 0x1f834bb4190fd56L, 0x01d98e44fd729beL,
      0x0e6dc2a72f2434eL, 0x08dbdf143288400L, 0x0199f654b0cfe4aL },
    { 0x1337948ac775d81L, 0x128c7ea0edde511L, 0x093ef3f3a520e30L,
      0x0ca8e07fcec478fL, 0x13fb3b5baad3623L, 0x0e00f8159d09d20L,
      0x0598576cd5969fdL, 0x123ae4811b8a46bL, 0x15a17f8e51d616eL,
      0x060b775e592dcccL, 0x1a33c4ce4dd0fa4L, 0x0e95ca96c94fe6bL,
      0x0a65cd449d987daL, 0x1bf3d8aeaabd991L, 0x1344d3dd9420a94L,
      0x00e8c9a4b8e85e5L, 0x135ae9d9c074ccfL, 0x0397e1088439468L },
    { 0x106b203f96004c8L, 0x1cae7a2c02affd4L, 0x019d57cd642760fL,
      0x17caa191ddaefabL, 0x15a060814a9ea6fL, 0x14103148e46654aL,
      0x1e179287fb9e2f3L, 0x0cdd735bc0d347bL, 0x1fbbdcf0c7d3de6L,
      0x1451c8dae99b6a8L, 0x1e34a170bff0f08L, 0x1bc65ef62cb6ec1L,
      0x04561770401ee48L, 0x0ef7fcd001c01ecL, 0x1f8d69395cfd922L,
      0x14d8dc344e71d42L, 0x12d238ef17c8840L, 0x02404a37c588f6cL },
    { 0x0c747a8fd71f119L, 0x12e2f29f59b4ac2L, 0x1e198a6161e8679L,
      0x135631ade81c5ecL, 0x0630b8c048a4889L, 0x157c4950d4c8126L,
      0x15892125d4258b2L, 0x1a9910d3575c41fL, 0x03b72b04d6c2b7dL,
      0x13baf5b04c97be8L, 0x0701b9f41b9a138L, 0x06c3c977a00e011L,
      0x0b4ba846e4cb3b4L, 0x032326cf50d7333L, 0x1e14e7f0070bac9L,
      0x15f8ff0de57cd83L, 0x10216e8e8aecf68L, 0x046d5b0fee39c34L },
    { 0x0a5c903d54d1d45L, 0x014bf7fa7cdd121L, 0x1480d351e2d2b35L,
      0x161188c4345b116L, 0x1486540235b2ba2L, 0x0f997369e91cdd9L,
      0x1f708779dabb644L, 0x0050eff179e7e0dL, 0x1802714c19ec515L,
      0x0822275d2c83806L, 0x108a7cc773255e8L, 0x0f57702d3fdb0d2L,
      0x152caf080e5ece7L, 0x05ebe778aadf450L, 0x0e5fb84fac86c53L,
      0x0d2193bdef5a2cfL, 0x1e7e03ca879118fL, 0x037bbf316fccd94L },
    { 0x071bdede40bbf59L, 0x1d229b200d56b51L, 0x00d5cd5073445deL,
      0x0c96e3605e2eabcL, 0x0813359f3465b46L, 0x1c75639175b889dL,
      0x1ced65e4aa3f5bcL, 0x17e2354025ffe77L, 0x099aafabff85c3fL,
      0x0f0517783606621L, 0x15755ddcedecea4L, 0x1cedacd30814629L,
      0x132e5a8be6ae5e2L, 0x00e7aac04309b03L, 0x0fb440bb9b5d5e3L,
      0x1e1d64689c01ed1L, 0x180799d78868184L, 0x031c0ce48e1e967L },
    { 0x05392e17884b073L, 0x1d0fe758933f565L, 0x17c241c0e29e7b0L,
      0x19c988f6e07a0feL, 0x1bf96b91cb2ac07L, 0x1527dffcb332770L,
      0x19403afd5d624abL, 0x008b557e723f5bcL, 0x0c5b3376f171d12L,
      0x1fb0628d069ec0dL, 0x0b3f9e5daa112c7L, 0x19357b4c24b4216L,
      0x134ebd453ee131cL, 0x0825b5e0f07e0b6L, 0x0be32af0340c669L,
      0x1368fc87417ce14L, 0x1eec80afeec55e4L, 0x033ea46894132ebL },
    { 0x08d59a7ea2d56d6L, 0x15e8713a4053183L, 0x16c2b9cd9b375c6L,
      0x140e409d78d7a23L, 0x177e6293fbb639cL, 0x1d461ec4d12173fL,
      0x1e6a37b9f28add6L, 0x0208e5bb87ac945L, 0x084229df47561a0L,
      0x0fb1642e2db24eaL, 0x15ac6d37249f365L, 0x0240bdcc0b2dfbaL,
      0x10abf29401fe8bbL, 0x0868e0c21f7e552L, 0x0c077d75240343cL,
      0x087ea59e2275251L, 0x1c7a3d7ebc31f0eL, 0x013ca871c741c26L },
    { 0x0b21ff0e1d0fa79L, 0x1e8198245aef4f5L, 0x1a24bf8dd32d2e7L,
      0x149d643ed699268L, 0x0925e7e7bb4827fL, 0x0a6298a338b7bcdL,
      0x1b77c510afcd9f7L, 0x11240e72a99a5d2L, 0x14e0141ae8502aaL,
      0x170070d4777b664L, 0x1a1245620336be3L, 0x14b8d2c5008cab9L,
      0x185d15dfbfff3abL, 0x0fb4279299ae627L, 0x0796f629fc11032L,
      0x04b575d008a7f76L, 0x171a1c99813ff22L, 0x02a7fbc423cd92eL },
    { 0x1c6ee30de40b068L, 0x1232df379d28f13L, 0x1813e8ec87da489L,
      0x1b8083022bc4948L, 0x0df90d2b50a5a5aL, 0x186007f1942a20cL,
      0x0238eedd3963f72L, 0x1938d1e36769458L, 0x1339df0810ccd9eL,
      0x0a9b16e5bc3754fL, 0x1178c72556bab64L, 0x003b16d4d8d6512L,
      0x1c3678a427d6a2cL, 0x14649816034f416L, 0x08407985e1d5400L,
      0x1650d159b52cb3fL, 0x0fe4e4e4573ee30L, 0x0456dd6c29f8c18L },
    { 0x00ae11f0969d524L, 0x1ed7bf9cde63c83L, 0x1d99f307f30bd0bL,
      0x05c466da9e79d8cL, 0x0e1c0f7f456b9cfL, 0x027d873550faef4L,
      0x12ca336f0ab4826L, 0x1de81219f4c368cL, 0x140d86f301243f3L,
      0x0d8b66666af43f3L, 0x1c5a30c09b35065L, 0x0d9702d80e60807L,
      0x1358407a1ddbe38L, 0x0b8bf0d78a75c37L, 0x12f25b3d622d3e0L,
      0x0e3836eb8834ccdL, 0x05ff342c1aa027eL, 0x039c9801b604a2fL },
    { 0x14f757d22cdaf42L, 0x1ac8efa0c0d55caL, 0x0067d5453c95e22L,
      0x11e31fab791730dL, 0x022ceb9169642e0L, 0x07b4c2c95982e88L,
      0x072b85c5640f9a9L, 0x15497afad3ac22fL, 0x0dacdfd5dd29c01L,
      0x02eeead6c888466L, 0x0b1ec592b23c55cL, 0x09c36a48c65e869L,
      0x1b731fc44761a51L, 0x104b0d98a2dcf30L, 0x1abc88f3d584d23L,
      0x133a7385152cee7L, 0x1e25bd10182aa7cL, 0x045e376257214b2L },
    { 0x096e5c0e7f2a32bL, 0x04006049c451868L, 0x0df10078d833fd5L,
      0x1976c0a94c0dfc8L, 0x0457aa6e6655fc9L, 0x14d95ba8870c304L,
      0x1698682b3f288acL, 0x194e64907c6a36fL, 0x1e31471ee6be6c8L,
      0x0b2a18e45b2e4d0L, 0x0b0ee5235972ef9L, 0x18435d365551f93L,
      0x0daa60aa6ad308fL, 0x0c17e06a6b53ef8L, 0x11e935ca11365aaL,
      0x112ab56025858b0L, 0x0152b3c8f71dcebL, 0x04742a1bedf4e3fL },
};

/* Perform the modular exponentiation in Fp* for SAKKE.
 *
 * Base is fixed to be the g parameter - a precomputed table is used.
 *
 * Striping: 128 points at a distance of 8 combined.
 * Total of 256 points in table.
 * Square and multiply performed in Fp*.
 *
 * base  [in]   Base. MP integer.
 * exp   [in]   Exponent. MP integer.
 * res   [out]  Result. MP integer.
 * returns 0 on success, MP_READ_E if there are too many bytes in an array
 * and MEMORY_E if memory allocation fails.
 */
int sp_ModExp_Fp_star_1024(const mp_int* base, mp_int* exp, mp_int* res)
{
#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
    sp_digit* td;
    sp_digit* t;
    sp_digit* tx;
    sp_digit* ty;
#else
    sp_digit t[36 * 2 * 18];
    sp_digit tx[2 * 18];
    sp_digit ty[2 * 18];
#endif
    sp_digit* r = NULL;
    unsigned char e[128];
    int err = MP_OKAY;
    int i;
    int y;

    (void)base;

#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
    td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 38 * 18 * 2, NULL,
                            DYNAMIC_TYPE_TMP_BUFFER);
    if (td == NULL) {
        err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
        t  = td;
        tx = td + 36 * 18 * 2;
        ty = td + 37 * 18 * 2;
#endif
        r = ty;

        (void)mp_to_unsigned_bin_len(exp, e, 128);

        XMEMCPY(tx, p1024_norm_mod, sizeof(sp_digit) * 18);
        y  =  e[112] >> 7;
        y |= (e[96] >> 7) << 1;
        y |= (e[80] >> 7) << 2;
        y |= (e[64] >> 7) << 3;
        y |= (e[48] >> 7) << 4;
        y |= (e[32] >> 7) << 5;
        y |= (e[16] >> 7) << 6;
        y |= (e[0] >> 7) << 7;
        XMEMCPY(ty, sp_1024_g_table[y], sizeof(sp_digit) * 18);
        for (i = 126; i >= 0; i--) {
            y  =  (e[127 - (i / 8)] >> (i & 0x7)) & 1;
            y |= ((e[111 - (i / 8)] >> (i & 0x7)) & 1) << 1;
            y |= ((e[95 - (i / 8)] >> (i & 0x7)) & 1) << 2;
            y |= ((e[79 - (i / 8)] >> (i & 0x7)) & 1) << 3;
            y |= ((e[63 - (i / 8)] >> (i & 0x7)) & 1) << 4;
            y |= ((e[47 - (i / 8)] >> (i & 0x7)) & 1) << 5;
            y |= ((e[31 - (i / 8)] >> (i & 0x7)) & 1) << 6;
            y |= ((e[15 - (i / 8)] >> (i & 0x7)) & 1) << 7;

            sp_1024_proj_sqr_18(tx, ty, t);
            sp_1024_proj_mul_qx1_18(tx, ty, sp_1024_g_table[y], t);
        }
    }

    if (err == MP_OKAY) {
        sp_1024_mont_inv_18(tx, tx, t);
        sp_1024_mont_mul_18(r, tx, ty, p1024_mod, p1024_mp_mod);
        XMEMSET(r + 18, 0, sizeof(sp_digit) * 18);
        sp_1024_mont_reduce_18(r, p1024_mod, p1024_mp_mod);

        err = sp_1024_to_mp(r, res);
    }

#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
    if (td != NULL) {
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
    }
#endif
    return err;
}

#endif /* WOLFSSL_SP_SMALL */
/* Multiply p* by q* in projective coordinates.
 *
 *   p.x' = (p.x * q.x) - (p.y * q.y)
 *   p.y' = (p.x * q.y) + (p.y * q.x)
 * But applying Karatsuba:
 *   v0 = p.x * q.x
 *   v1 = p.y * q.y
 *   p.x' = v0 - v1
 *   p.y' = (px + py) * (qx + qy) - v0 - v1
 *
 * px  [in,out]  A single precision integer - X ordinate of number to multiply.
 * py  [in,out]  A single precision integer - Y ordinate of number to multiply.
 * qx  [in]      A single precision integer - X ordinate of number of
 *               multiplier.
 * qy  [in]      A single precision integer - Y ordinate of number of
 *               multiplier.
 * t   [in]      Two single precision integers - temps.
 */
static void sp_1024_proj_mul_18(sp_digit* px, sp_digit* py,
        const sp_digit* qx, const sp_digit* qy, sp_digit* t)
{
    sp_digit* t1 = t;
    sp_digit* t2 = t + 2 * 18;

    /* t1 = px + py */
    sp_1024_mont_add_18(t1, px, py, p1024_mod);
    /* t2 = qx + qy */
    sp_1024_mont_add_18(t2, qx, qy, p1024_mod);
    /* t2 = (px + py) * (qx + qy) */
    sp_1024_mont_mul_18(t2, t1, t2, p1024_mod, p1024_mp_mod);
    /* t1 = py * qy */
    sp_1024_mont_mul_18(t1, py, qy, p1024_mod, p1024_mp_mod);
    /* t2 = (px + py) * (qx + qy) - (py * qy) */
    sp_1024_mont_sub_18(t2, t2, t1, p1024_mod);
    /* px = px * qx */
    sp_1024_mont_mul_18(px, px, qx, p1024_mod, p1024_mp_mod);
    /* py = (px + py) * (qx + qy) - (py * qy) - (px * qx) */
    sp_1024_mont_sub_18(py, t2, px, p1024_mod);
    /* px = (px * qx) - (py * qy)*/
    sp_1024_mont_sub_18(px, px, t1, p1024_mod);
}

#ifndef WOLFSSL_SP_SMALL
/*
 * Convert point from projective to affine but keep in Montgomery form.
 *
 * p  [in,out]  Point to convert.
 * t  [in]      Temporary numbers: 2.
 */
static void sp_1024_mont_map_18(sp_point_1024* p, sp_digit* t)
{
    sp_digit* t1 = t;
    sp_digit* t2 = t + 2 * 18;

    sp_1024_mont_inv_18(t1, p->z, t2);
    sp_1024_mont_sqr_18(t2, t1, p1024_mod, p1024_mp_mod);
    sp_1024_mont_mul_18(t1, t2, t1, p1024_mod, p1024_mp_mod);
    sp_1024_mont_mul_18(p->x, p->x, t2, p1024_mod, p1024_mp_mod);
    sp_1024_mont_mul_18(p->y, p->y, t1, p1024_mod, p1024_mp_mod);
    XMEMCPY(p->z, p1024_norm_mod, sizeof(sp_digit) * 18);
}

#endif /* WOLFSSL_SP_SMALL */
/*
 * Calculate gradient of line through P, P and [-2]P, accumulate line and
 * double P.
 *
 * Calculations:
 *   l = 3 * (p.x^2 - p.z^4) = 3 * (p.x - p.z^2) * (p.x + p.z^2)
 *   r.x = l * (p.x + q.x * p.z^2) - 2 * p.y^2
 *   r.y = 2 * p.y * p.z^3 * q.y (= p'.z * p.z^2 * q.y)
 *   v* = v*^2 * r*
 *   p'.x = l^2 - 8 * p.y^2 * p.x
 *   p'.y = (4 * p.y^2 * p.x - p'.x) * l - 8 * p.y^4
 *   p'.z = 2 * p.y * p.z
 *
 * @param  [in,out]  vx  X-ordinate of projective value in F*.
 * @param  [in,out]  vy  Y-ordinate of projective value in F*.
 * @param  [in,out]  p   ECC point - point on E(F_p^2) to double.
 * @param  [in]      q   ECC point - second point on E(F_P^2).
 * @param  [in]      t   SP temporaries (6 used).
 */
static void sp_1024_accumulate_line_dbl_18(sp_digit* vx, sp_digit* vy,
        sp_point_1024* p, const sp_point_1024* q, sp_digit* t)
{
    sp_digit* t1  = t +  0 * 18;
    sp_digit* pz2 = t +  2 * 18;
    sp_digit* rx  = t +  4 * 18;
    sp_digit* ry  = t +  6 * 18;
    sp_digit* l   = t +  8 * 18;
    sp_digit* ty  = t + 10 * 18;

    /* v = v^2 */
    sp_1024_proj_sqr_18(vx, vy, t);
    /* pz2 = p.z^2 */
    sp_1024_mont_sqr_18(pz2, p->z, p1024_mod, p1024_mp_mod);
    /* t1 = p.x + p.z^2 */
    sp_1024_mont_add_18(ty, p->x, pz2, p1024_mod);
    /* l = p.x - p.z^2 */
    sp_1024_mont_sub_18(l, p->x, pz2, p1024_mod);
    /* t1 = (p.x + p.z^2) * (p.x - p.z^2) = p.x^2 - p.z^4 */
    sp_1024_mont_mul_18(t1, l, ty, p1024_mod, p1024_mp_mod);
    /* l = 3 * (p.x^2 - p.z^4) */
    sp_1024_mont_tpl_18(l, t1, p1024_mod);
    /* t1 = q.x * p.z^2 */
    sp_1024_mont_mul_18(t1, q->x, pz2, p1024_mod, p1024_mp_mod);
    /* t1 = p.x + q.x * p.z^2 */
    sp_1024_mont_add_18(t1, p->x, t1, p1024_mod);
    /* r.x = l * (p.x + q.x * p.z^2) */
    sp_1024_mont_mul_18(rx, l, t1, p1024_mod, p1024_mp_mod);
    /* r.y = 2 * p.y */
    sp_1024_mont_dbl_18(ry, p->y, p1024_mod);
    /* ty = 4 * p.y ^ 2 */
    sp_1024_mont_sqr_18(ty, ry, p1024_mod, p1024_mp_mod);
    /* t1 = 2 * p.y ^ 2 */
    sp_1024_mont_div2_18(t1, ty, p1024_mod);
    /* r.x -= 2 * (p.y ^ 2) */
    sp_1024_mont_sub_18(rx, rx, t1, p1024_mod);
    /* p'.z = p.y * 2 * p.z */
    sp_1024_mont_mul_18(p->z, p->z, ry, p1024_mod, p1024_mp_mod);
    /* r.y = p'.z * p.z^2 */
    sp_1024_mont_mul_18(t1, p->z, pz2, p1024_mod, p1024_mp_mod);
    /* r.y = p'.z * p.z^2 * q.y */
    sp_1024_mont_mul_18(ry, t1, q->y, p1024_mod, p1024_mp_mod);
    /* v = v^2 * r */
    sp_1024_proj_mul_18(vx, vy, rx, ry, t);

    /* Double point using previously calculated values
     *   l = 3 * (p.x - p.z^2).(p.x + p.z^2)
     *   ty = 4 * p.y^2
     *   p'.z = 2 * p.y * p.z
     */
    /* t1 = (4 * p.y^2) ^ 2 = 16 * p.y^4 */
    sp_1024_mont_sqr_18(t1, ty, p1024_mod, p1024_mp_mod);
    /* t1 = 16 * p.y^4 / 2 = 8 * p.y^4 */
    sp_1024_mont_div2_18(t1, t1, p1024_mod);
    /* p'.y = 4 * p.y^2 * p.x */
    sp_1024_mont_mul_18(p->y, ty, p->x, p1024_mod, p1024_mp_mod);
    /* p'.x = l^2 */
    sp_1024_mont_sqr_18(p->x, l, p1024_mod, p1024_mp_mod);
    /* p'.x = l^2 - 4 * p.y^2 * p.x */
    sp_1024_mont_sub_18(p->x, p->x, p->y, p1024_mod);
    /* p'.x = l^2 - 8 * p.y^2 * p.x */
    sp_1024_mont_sub_18(p->x, p->x, p->y, p1024_mod);
    /* p'.y = 4 * p.y^2 * p.x - p.x' */
    sp_1024_mont_sub_18(ty, p->y, p->x, p1024_mod);
    /* p'.y = (4 * p.y^2 * p.x - p'.x) * l */
    sp_1024_mont_mul_18(p->y, ty, l, p1024_mod, p1024_mp_mod);
    /* p'.y = (4 * p.y^2 * p.x - p'.x) * l - 8 * p.y^4 */
    sp_1024_mont_sub_18(p->y, p->y, t1, p1024_mod);
}

#ifdef WOLFSSL_SP_SMALL
/*
 * Calculate gradient of line through C, P and -C-P, accumulate line and
 * add P to C.
 *
 * Calculations:
 *   r.x = (q.x + p.x) * c.y - (q.x * c.z^2 + c.x) * p.y * c.z
 *   r.y = (c.x - p.x * c.z^2) * q.y * c.z
 *   v* = v* * r*
 *   r = p.y * c.z^3 - c.y
 *   c'.x = r^2 + h^3 - 2 * c.x * h^2
 *   c'.y = r * (c'.x - c.x * h^2) - c.y * h^3
 *   c'.z = (c.x - p.x * c.z^2) * c.z
 *
 * @param  [in,out]  vx     X-ordinate of projective value in F*.
 * @param  [in,out]  vy     Y-ordinate of projective value in F*.
 * @param  [in,out]  c      ECC point - current point on E(F_p^2) to be added
 *                          to.
 * @param  [in]      p      ECC point - point on E(F_p^2) to add.
 * @param  [in]      q      ECC point - second point on E(F_P^2).
 * @param  [in]      qx_px  SP that is a constant value across adds.
 * @param  [in]      t      SP temporaries (6 used).
 */
static void sp_1024_accumulate_line_add_one_18(sp_digit* vx, sp_digit* vy,
        sp_point_1024* c, sp_point_1024* p, sp_point_1024* q, sp_digit* qx_px,
        sp_digit* t)
{
    sp_digit* t1  = t;
    sp_digit* t2  = t +  2 * 18;
    sp_digit* rx  = t +  4 * 18;
    sp_digit* ry  = t +  6 * 18;
    sp_digit* h   = t +  8 * 18;
    sp_digit* r   = t + 10 * 18;

    /* r.x = (q.x + p.x) * c.y */
    sp_1024_mont_mul_18(rx, qx_px, c->y, p1024_mod, p1024_mp_mod);
    /* t2 = c.z^2 */
    sp_1024_mont_sqr_18(t2, c->z, p1024_mod, p1024_mp_mod);
    /* t1 = q.x * c.z^2 */
    sp_1024_mont_mul_18(t1, q->x, t2, p1024_mod, p1024_mp_mod);
    /* t1 = q.x * c.z^2 + c.x */
    sp_1024_mont_add_18(h, t1, c->x, p1024_mod);
    /* r = p.y * c.z */
    sp_1024_mont_mul_18(ry, p->y, c->z, p1024_mod, p1024_mp_mod);
    /* t1 = (q.x * c.z^2 + c.x) * p.y * c.z */
    sp_1024_mont_mul_18(t1, h, ry, p1024_mod, p1024_mp_mod);
    /* r = p.y * c.z * c.z^2 = p.y * c.z^3  */
    sp_1024_mont_mul_18(r, ry, t2, p1024_mod, p1024_mp_mod);
    /* r.x -= (q.x * c.z^2 + c.x) * p.y * c.z */
    sp_1024_mont_sub_18(rx, rx, t1, p1024_mod);
    /* t1 = p.x * c.z^2 */
    sp_1024_mont_mul_18(t1, p->x, t2, p1024_mod, p1024_mp_mod);
    /* h = c.x - p.x * c.z^2 */
    sp_1024_mont_sub_18(h, c->x, t1, p1024_mod);
    /* c'.z = (c.x - p.x * c.z^2) * c.z */
    sp_1024_mont_mul_18(c->z, h, c->z, p1024_mod, p1024_mp_mod);
    /* r.y = (c.x - p.x * c.z^2) * c.z * q.y */
    sp_1024_mont_mul_18(ry, c->z, q->y, p1024_mod, p1024_mp_mod);
    /* v = v * r */
    sp_1024_proj_mul_18(vx, vy, rx, ry, t);

    /* Add p to c using previously calculated values.
     *   h = c.x - p.x * c.z^2
     *   r = p.y * c.z^3
     *   c'.z = (c.x - p.x * c.z^2) * c.z
     */

    /* r = p.y * c.z^3 - c.y */
    sp_1024_mont_sub_18(r, r, c->y, p1024_mod);
    /* t1 = r^2 */
    sp_1024_mont_sqr_18(t1, r, p1024_mod, p1024_mp_mod);
    /* t2 = h^2 */
    sp_1024_mont_sqr_18(rx, h, p1024_mod, p1024_mp_mod);
    /* ry = c.x * h^2 */
    sp_1024_mont_mul_18(ry, c->x, rx, p1024_mod, p1024_mp_mod);
    /* t2 = h^3 */
    sp_1024_mont_mul_18(t2, rx, h, p1024_mod, p1024_mp_mod);
    /* c->x = r^2 + h^3 */
    sp_1024_mont_add_18(c->x, t1, t2, p1024_mod);
    /* t1 = 2 * c.x * h^2 */
    sp_1024_mont_dbl_18(t1, ry, p1024_mod);
    /* c'.x = r^2 + h^3 - 2 * c.x * h^2 */
    sp_1024_mont_sub_18(c->x, c->x, t1, p1024_mod);
    /* ry = c'.x - c.x * h^2 */
    sp_1024_mont_sub_18(t1, c->x, ry, p1024_mod);
    /* ry = r * (c'.x - c.x * h^2) */
    sp_1024_mont_mul_18(ry, t1, r, p1024_mod, p1024_mp_mod);
    /* t2 = c.y * h^3 */
    sp_1024_mont_mul_18(t1, t2, c->y, p1024_mod, p1024_mp_mod);
    /* c'.y = r * (c'.x - c.x * h^2) - c.y * h^3 */
    sp_1024_mont_sub_18(c->y, ry, t1, p1024_mod);
}

/*
 * Calculate r = pairing <P, Q>.
 *
 * That is, multiply base in PF_p[q] by the scalar s, such that s.P = Q.
 *
 * @param  [in]  key  SAKKE key.
 * @param  [in]  p    First point on E(F_p)[q].
 * @param  [in]  q    Second point on E(F_p)[q].
 * @param  [in]  r    Result of calculation.
 * @return  0 on success.
 * @return  MEMORY_E when dynamic memory allocation fails.
 * @return  Other -ve value on internal failure.
 */
int sp_Pairing_1024(const ecc_point* pm, const ecc_point* qm, mp_int* res)
{
    int err = MP_OKAY;
#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
    sp_digit* td = NULL;
    sp_digit* t;
    sp_digit* vx;
    sp_digit* vy;
    sp_digit* qx_px;
#else
    sp_digit t[36 * 2 * 18];
    sp_digit vx[2 * 18];
    sp_digit vy[2 * 18];
    sp_digit qx_px[2 * 18];
    sp_point_1024 pd;
    sp_point_1024 qd;
    sp_point_1024 cd;
#endif
    sp_point_1024* p = NULL;
    sp_point_1024* q = NULL;
    sp_point_1024* c = NULL;
    sp_digit* r = NULL;
    int i;

    err = sp_1024_point_new_18(NULL, pd, p);
    if (err == MP_OKAY) {
        err = sp_1024_point_new_18(NULL, qd, q);
    }
    if (err == MP_OKAY) {
        err = sp_1024_point_new_18(NULL, cd, c);
    }

#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 39 * 18 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL) {
            err = MEMORY_E;
        }
    }
#endif

    if (err == MP_OKAY) {
#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
        t     = td;
        vx    = td + 36 * 18 * 2;
        vy    = td + 37 * 18 * 2;
        qx_px = td + 38 * 18 * 2;
#endif
        r = vy;

        sp_1024_point_from_ecc_point_18(p, pm);
        sp_1024_point_from_ecc_point_18(q, qm);

        err = sp_1024_mod_mul_norm_18(p->x, p->x, p1024_mod);
    }
    if (err == MP_OKAY) {
        err = sp_1024_mod_mul_norm_18(p->y, p->y, p1024_mod);
    }
    if (err == MP_OKAY) {
        err = sp_1024_mod_mul_norm_18(p->z, p->z, p1024_mod);
    }
    if (err == MP_OKAY) {
        err = sp_1024_mod_mul_norm_18(q->x, q->x, p1024_mod);
    }
    if (err == MP_OKAY) {
        err = sp_1024_mod_mul_norm_18(q->y, q->y, p1024_mod);
    }
    if (err == MP_OKAY) {
        XMEMCPY(c, p, sizeof(sp_point_1024));
        XMEMSET(vx, 0, sizeof(sp_digit) * 2 * 18);
        vx[0] = 1;
        XMEMSET(vy, 0, sizeof(sp_digit) * 2 * 18);

        sp_1024_mont_add_18(qx_px, q->x, p->x, p1024_mod);

        for (i = 1020; i >= 0; i--) {
            /* Accumulate line into v and double point. */
            sp_1024_accumulate_line_dbl_18(vx, vy, c, q, t);

            if ((i > 0) && ((p1024_order[i / 57] >> (i % 57)) & 1)) {
                /* Accumulate line into v and add P into C. */
                sp_1024_accumulate_line_add_one_18(vx, vy, c, p, q, qx_px, t);
            }
        }

        /* Final exponentiation */
        sp_1024_proj_sqr_18(vx, vy, t);
        sp_1024_proj_sqr_18(vx, vy, t);

        /* Convert from PF_p[q] to F_p */
        sp_1024_mont_inv_18(vx, vx, t);
        sp_1024_mont_mul_18(r, vx, vy, p1024_mod, p1024_mp_mod);
        XMEMSET(r + 18, 0, sizeof(sp_digit) * 18);
        sp_1024_mont_reduce_18(r, p1024_mod, p1024_mp_mod);

        err = sp_1024_to_mp(r, res);
    }

#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
    if (td != NULL) {
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
    }
#endif
    sp_1024_point_free_18(c, 1, NULL);
    sp_1024_point_free_18(q, 1, NULL);
    sp_1024_point_free_18(p, 1, NULL);
    return err;
}

#else
/*
 * Calculate gradient of line through C, P and -C-P, accumulate line and
 * add P to C.
 *
 * Both C and P have z ordinates to use in the calculation.
 *
 * Calculations:
 *   r.x  = (q.x * c.z^2 + c.x) * p.y * c.z - (q.x * p.z^2 + p.x) * c.y * p.z
 *   r.y  = (p.x * c.z^2 - c.x * p.z^2) * q.y * p.z * c.z
 *   v*   = v* * r*
 *   h    = p.x * c.z^2 - c.x * p.z^2
 *   r    = p.y * c.z^3 - c.y * p.z^3
 *   c'.x = r^2 - h^3 - 2 * c.x * p.z^2 * h^2
 *   c'.y = r * (c.x * p.z^2 * h^2 - c'.x) - c.y * p.z^3 * h^3
 *   c'.z = (p.x * c.z^2 - c.x * p.z^2) * c.z
 *
 * @param  [in,out]  vx     X-ordinate of projective value in F*.
 * @param  [in,out]  vy     Y-ordinate of projective value in F*.
 * @param  [in,out]  c      ECC point - current point on E(F_p^2) to be added
 *                          to.
 * @param  [in,out]  p      ECC point - point on E(F_p^2) to add.
 * @param  [in,out]  q      ECC point - second point on E(F_P^2).
 * @param  [in,out]  t      SP temporaries (6 used).
 * @param  [in,out]  neg    Indicates to use negative P.
 * @return  0 on success.
 * @return  MEMORY_E when dynamic memory allocation fails.
 * @return  Other -ve value on internal failure.
 */
static void sp_1024_accumulate_line_add_n_18(sp_digit* vx, sp_digit* vy,
        const sp_point_1024* p, const sp_point_1024* q,
        sp_point_1024* c, sp_digit* t, int neg)
{
    sp_digit* t1 = t;
    sp_digit* t2 = t +  2 * 18;
    sp_digit* rx = t +  4 * 18;
    sp_digit* ry = t +  6 * 18;
    sp_digit* h  = t +  8 * 18;
    sp_digit* r  = t + 10 * 18;

    /* h = p.z^2 */
    sp_1024_mont_sqr_18(h, p->z, p1024_mod, p1024_mp_mod);
    /* rx = q.x * p.z^2 */
    sp_1024_mont_mul_18(rx, q->x, h, p1024_mod, p1024_mp_mod);
    /* rx = q.x * p.z^2 + p.x */
    sp_1024_mont_add_18(t2, rx, p->x, p1024_mod);
    /* c.y = c.y * p.z */
    sp_1024_mont_mul_18(t1, c->y, p->z, p1024_mod, p1024_mp_mod);
    /* r.x = (q.x * p.z^2 + p.x) * c.y * p.z */
    sp_1024_mont_mul_18(rx, t2, t1, p1024_mod, p1024_mp_mod);
    /* c.y = c.y * p.z^3 */
    sp_1024_mont_mul_18(c->y, t1, h, p1024_mod, p1024_mp_mod);
    /* t2 = c.z^2 */
    sp_1024_mont_sqr_18(t2, c->z, p1024_mod, p1024_mp_mod);
    /* t1 = q.x * c.z^2 */
    sp_1024_mont_mul_18(t1, q->x, t2, p1024_mod, p1024_mp_mod);
    /* t1 = q.x * c.z^2 + c.x */
    sp_1024_mont_add_18(t1, t1, c->x, p1024_mod);
    /* c.x = c.x * p.z^2 */
    sp_1024_mont_mul_18(c->x, c->x, h, p1024_mod, p1024_mp_mod);
    /* r = p.y * c.z */
    sp_1024_mont_mul_18(r, p->y, c->z, p1024_mod, p1024_mp_mod);
    if (neg) {
        /* r = -p.y * c.z */
        sp_1024_mont_sub_18(r, p1024_mod, r, p1024_mod);
    }
    /* t1 = (q.x * c.z^2 + c.x) * p.y * c.z */
    sp_1024_mont_mul_18(ry, t1, r, p1024_mod, p1024_mp_mod);
    /* r.x -= (q.x * c.z^2 + c.x) * p.y * c.z */
    sp_1024_mont_sub_18(rx, ry, rx, p1024_mod);
    /* t1 = p.x * c.z^2 */
    sp_1024_mont_mul_18(t1, p->x, t2, p1024_mod, p1024_mp_mod);
    /* h = p.x * c.z^2 - c.x * p.z^2 */
    sp_1024_mont_sub_18(h, t1, c->x, p1024_mod);
    /* c'.z = (p.x * c.z^2 - c.x * p.z^2) * c.z */
    sp_1024_mont_mul_18(t1, h, c->z, p1024_mod, p1024_mp_mod);
    /* c'.z = (p.x * c.z^2 - c.x * p.z^2) * c.z * p.z */
    sp_1024_mont_mul_18(c->z, t1, p->z, p1024_mod, p1024_mp_mod);
    /* r.y = (p.x * c.z^2 - c.x * p.z^2) * c.z * p.z * q.y */
    sp_1024_mont_mul_18(ry, c->z, q->y, p1024_mod, p1024_mp_mod);
    /* r = p.y * c.z^3 */
    sp_1024_mont_mul_18(t1, r, t2, p1024_mod, p1024_mp_mod);
    /* r = p.y * c.z^3 - c.y * p.z^3 */
    sp_1024_mont_sub_18(r, t1, c->y, p1024_mod);
    /* v = v * r */
    sp_1024_proj_mul_18(vx, vy, rx, ry, t);

    /* Add p to c using previously calculated values.
     *   h = p.x * c.z^2 - c.x * p.z^2
     *   r = p.y * c.z^3 - c.y * p.z^3
     *   c'.z = (p.x * c.z^2 - c.x * p.z^2) * c.z
     */

    /* t1 = r^2 */
    sp_1024_mont_sqr_18(t1, r, p1024_mod, p1024_mp_mod);
    /* t2 = h^2 */
    sp_1024_mont_sqr_18(rx, h, p1024_mod, p1024_mp_mod);
    /* ry = c.x * p.z^2 * h^2 */
    sp_1024_mont_mul_18(ry, rx, c->x, p1024_mod, p1024_mp_mod);
    /* t2 = h^3 */
    sp_1024_mont_mul_18(t2, rx, h, p1024_mod, p1024_mp_mod);
    /* c'.x = r^2 - h^3 */
    sp_1024_mont_sub_18(c->x, t1, t2, p1024_mod);
    /* t1 = 2 * c.x * p.z^2 * h^2 */
    sp_1024_mont_dbl_18(t1, ry, p1024_mod);
    /* c'.x = r^2 - h^3 - 2 * c.x * p.z^2 * h^2 */
    sp_1024_mont_sub_18(c->x, c->x, t1, p1024_mod);
    /* ry = c.x * p.z^2 * h^2 - c'.x */
    sp_1024_mont_sub_18(t1, ry, c->x, p1024_mod);
    /* ry = r * (c.x * p.z^2 * h^2 - c'.x) */
    sp_1024_mont_mul_18(ry, t1, r, p1024_mod, p1024_mp_mod);
    /* t2 = c.y * p.z^3 * h^3 */
    sp_1024_mont_mul_18(t1, t2, c->y, p1024_mod, p1024_mp_mod);
    /* c'.y = r * (c.x * p.z^2 * h^2 - c'.x) - c.y * p.z^3 * h^3 */
    sp_1024_mont_sub_18(c->y, ry, t1, p1024_mod);
}

/*
 * Perform n accumulate doubles and doubles of P.
 *
 * py = 2 * p.y
 *
 * For each double:
 * Calculate gradient of line through P, P and [-2]P, accumulate line and
 * double P.
 *
 * Calculations:
 *   l = 3 * (p.x^2 - p.z^4) = 3 * (p.x - p.z^2) * (p.x + p.z^2)
 *   r.x = l * (p.x + q.x * p.z^2) - py^2 / 2
 *   r.y = py * p.z^3 * q.y (= p'.z * p.z^2 * q.y)
 *   v* = v*^2 * r*
 *   p'.x = l^2 - 2 * py^2 * p.x
 *   py' = (py^2 * p.x - p'.x) * l - py^4 (= 2 * p'.y)
 *   p'.z = py * p.z
 *
 * Finally:
 *   p'.y = py' / 2
 *
 * @param  [in,out]  vx  X-ordinate of projective value in F*.
 * @param  [in,out]  vy  Y-ordinate of projective value in F*.
 * @param  [in,out]  p   ECC point - point on E(F_p^2) to double.
 * @param  [in]      q   ECC point - second point on E(F_P^2).
 * @param  [in]      n   Number of times to double.
 * @param  [in]      t   SP temporaries (6 used).
 */
static void sp_1024_accumulate_line_dbl_n_18(sp_digit* vx, sp_digit* vy,
        sp_point_1024* p, const sp_point_1024* q, int n, sp_digit* t)
{
    sp_digit* t1  = t +  0 * 18;
    sp_digit* pz2 = t +  2 * 18;
    sp_digit* rx  = t +  4 * 18;
    sp_digit* ry  = t +  6 * 18;
    sp_digit* l   = t +  8 * 18;
    sp_digit* ty  = t + 10 * 18;
    int i;

    /* py = 2 * p.y */
    sp_1024_mont_dbl_18(p->y, p->y, p1024_mod);

    for (i = 0; i < n; i++) {
        /* v = v^2 */
        sp_1024_proj_sqr_18(vx, vy, t);
        /* pz2 = p.z^2 */
        sp_1024_mont_sqr_18(pz2, p->z, p1024_mod, p1024_mp_mod);
        /* t1 = p.x + p.z^2 */
        sp_1024_mont_add_18(t1, p->x, pz2, p1024_mod);
        /* l = p.x - p.z^2 */
        sp_1024_mont_sub_18(l, p->x, pz2, p1024_mod);
        /* t1 = (p.x + p.z^2) * (p.x - p.z^2) = p.x^2 - p.z^4 */
        sp_1024_mont_mul_18(ty, l, t1, p1024_mod, p1024_mp_mod);
        /* l = 3 * (p.x^2 - p.z^4) */
        sp_1024_mont_tpl_18(l, ty, p1024_mod);
        /* t1 = q.x * p.z^2 */
        sp_1024_mont_mul_18(t1, q->x, pz2, p1024_mod, p1024_mp_mod);
        /* t1 = p.x + q.x * p.z^2 */
        sp_1024_mont_add_18(t1, p->x, t1, p1024_mod);
        /* r.x = l * (p.x + q.x * p.z^2) */
        sp_1024_mont_mul_18(rx, l, t1, p1024_mod, p1024_mp_mod);
        /* ty = py ^ 2 */
        sp_1024_mont_sqr_18(ty, p->y, p1024_mod, p1024_mp_mod);
        /* t1 = py ^ 2 / 2 */
        sp_1024_mont_div2_18(t1, ty, p1024_mod);
        /* r.x -= py ^ 2 / 2 */
        sp_1024_mont_sub_18(rx, rx, t1, p1024_mod);
        /* p'.z = py * pz */
        sp_1024_mont_mul_18(p->z, p->z, p->y, p1024_mod, p1024_mp_mod);
        /* r.y = p'.z * p.z^2 */
        sp_1024_mont_mul_18(t1, p->z, pz2, p1024_mod, p1024_mp_mod);
        /* r.y = p'.z * p.z^2 * q.y */
        sp_1024_mont_mul_18(ry, t1, q->y, p1024_mod, p1024_mp_mod);
        /* v = v^2 * r */
        sp_1024_proj_mul_18(vx, vy, rx, ry, t);

        /* Double point using previously calculated values
         *   l = 3 * (p.x - p.z^2).(p.x + p.z^2)
         *   ty = py^2
         *   p'.z = py * p.z
         */
        /* t1 = py^2 ^ 2 = py^4 */
        sp_1024_mont_sqr_18(t1, ty, p1024_mod, p1024_mp_mod);
        /* py' = py^2 * p. x */
        sp_1024_mont_mul_18(p->y, ty, p->x, p1024_mod, p1024_mp_mod);
        /* p'.x = l^2 */
        sp_1024_mont_sqr_18(p->x, l, p1024_mod, p1024_mp_mod);
        /* p'.x = l^2 - py^2 * p.x */
        sp_1024_mont_sub_18(p->x, p->x, p->y, p1024_mod);
        /* p'.x = l^2 - 2 * p.y^2 * p.x */
        sp_1024_mont_sub_18(p->x, p->x, p->y, p1024_mod);
        /* py' = py^2 * p.x - p.x' */
        sp_1024_mont_sub_18(ty, p->y, p->x, p1024_mod);
        /* py' = (p.y^2 * p.x - p'.x) * l */
        sp_1024_mont_mul_18(p->y, ty, l, p1024_mod, p1024_mp_mod);
        /* py' = (p.y^2 * p.x - p'.x) * l * 2 */
        sp_1024_mont_dbl_18(p->y, p->y, p1024_mod);
        /* py' = (p.y^2 * p.x - p'.x) * l * 2 - p.y^4 */
        sp_1024_mont_sub_18(p->y, p->y, t1, p1024_mod);
    }

    /* p'.y = py' / 2 */
    sp_1024_mont_div2_18(p->y, p->y, p1024_mod);
}

/* Operations to perform based on order - 1.
 * Sliding window. Start at bottom and stop when bottom bit is one.
 * Subtract if top bit in window is one.
 * Width of 6 bits.
 * Pairs: #dbls, add/subtract window value
 */
static const signed char sp_1024_order_op[] = {
   5,   6, -13,   9, -21,   6,  -5,   8,  31,   6,   3,   6, -27,   6,  25,   9,
  -1,   6, -11,   6, -13,   6,  -7,   6, -15,   6, -29,   7,  25,   6,  -9,   6,
 -19,   7,   3,   6,  11,   9, -23,   6,   1,   6,  27,   6,   1,   7, -25,   8,
  13,   7, -13,   7, -23,  10,  19,   7,   7,   7,  -3,   7,  27,   6,  -7,   7,
 -21,   7,  11,   7,  31,   8,   1,   7, -23,   6, -17,   6,  -3,  10,  11,   6,
 -21,   7, -27,  11, -29,   6,  -1,  10,  15,   8,  27,   7,  17,   6,  17,   7,
 -13,   8,  13,   6,  21,   7, -29,   6,  19,   7, -25,   6,  11,   9,  29,   7,
  -7,   8,  27,   7,  29,  10,  -1,   8,  -7,   8,  17,   6,  17,   7, -27,   7,
 -21,   6,  -9,   6, -27,  12, -23,   6,  19,   6,  13,   6, -11,   7,  27,   6,
  17,   6,  -7,   6, -25,   7, -29,   6,   9,   7,   7,   6,  13,   6, -25,   6,
 -19,   6,  13,   6, -11,   6,   5,   8,  19,   6, -21,   8,  23,   7,  27,   6,
 -13,   6, -19,  11,  29,   7, -15,   6,  -9,   7, -21,  10,  -3,   7,  21,  10,
  25,   6, -15,   6, -23,   6,  21,   6,   1,   6,  21,   7,  -3,   6,  -3,   7,
  -7,   6, -23,   7,   7,   8,  15,   9,   5,   6, -11,   6,  21,  11, -27,   7,
  27,   6, -11,   6,  31,   6, -21,   6,  19,   6,  -7,   8,  -7,  13,  -3,   6,
  -7,   7,  -3,   6,   1,   6,   7,   8,  19,   8,  11,   9,  -9,   7, -31,  12,
  25,   6, -17,   9, -15,   7,   5,   6,  25,   7,  -5,   7, -25,   6,  17,   8,
 -19,   6, -13,   6,  27,   8,   1,   7,  -5,   7,  -1,   6,  21,   6,   3,  10,
  -3,   1,
};
/*
 * Calculate r = pairing <P, Q>.
 *
 * That is, multiply base in PF_p[q] by the scalar s, such that s.P = Q.
 *
 * Sliding window. Start at bottom and stop when bottom bit is one.
 * Subtract if top bit in window is one.
 * Width of 6 bits.
 *
 * @param  [in]  pm   First point on E(F_p)[q].
 * @param  [in]  qm   Second point on E(F_p)[q].
 * @param  [in]  res  Result of calculation.
 * @return  0 on success.
 * @return  MEMORY_E when dynamic memory allocation fails.
 */
int sp_Pairing_1024(const ecc_point* pm, const ecc_point* qm, mp_int* res)
{
    int err;
#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
    sp_digit* td = NULL;
    sp_digit* t;
    sp_digit* vx;
    sp_digit* vy;
    sp_digit (*pre_vx)[36];
    sp_digit (*pre_vy)[36];
    sp_digit (*pre_nvy)[36];
    sp_point_1024* pre_p;
#else
    sp_digit t[36 * 2 * 18];
    sp_digit vx[2 * 18];
    sp_digit vy[2 * 18];
    sp_digit pre_vx[16][36];
    sp_digit pre_vy[16][36];
    sp_digit pre_nvy[16][36];
    sp_point_1024 pre_p[16];
    sp_point_1024 pd;
    sp_point_1024 qd;
    sp_point_1024 cd;
#endif
    sp_point_1024* p = NULL;
    sp_point_1024* q = NULL;
    sp_point_1024* c = NULL;
    sp_digit* r = NULL;
    int i;
    int j;

    err = sp_1024_point_new_18(NULL, pd, p);
    if (err == MP_OKAY) {
        err = sp_1024_point_new_18(NULL, qd, q);
    }
    if (err == MP_OKAY) {
        err = sp_1024_point_new_18(NULL, cd, c);
    }

#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 86 * 18 * 2 + 16 * sizeof(sp_point_1024), NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL) {
            err = MEMORY_E;
        }
    }
#endif

    if (err == MP_OKAY) {
#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
        t       = td;
        vx      = td + 36 * 18 * 2;
        vy      = td + 37 * 18 * 2;
        pre_vx  = (sp_digit(*)[36])(td + 38 * 18 * 2);
        pre_vy  = (sp_digit(*)[36])(td + 54 * 18 * 2);
        pre_nvy = (sp_digit(*)[36])(td + 70 * 18 * 2);
        pre_p   = (sp_point_1024*)(td + 86 * 18 * 2);
#endif
        r = vy;

        sp_1024_point_from_ecc_point_18(p, pm);
        sp_1024_point_from_ecc_point_18(q, qm);

        err = sp_1024_mod_mul_norm_18(p->x, p->x, p1024_mod);
    }
    if (err == MP_OKAY) {
        err = sp_1024_mod_mul_norm_18(p->y, p->y, p1024_mod);
    }
    if (err == MP_OKAY) {
        err = sp_1024_mod_mul_norm_18(p->z, p->z, p1024_mod);
    }
    if (err == MP_OKAY) {
        err = sp_1024_mod_mul_norm_18(q->x, q->x, p1024_mod);
    }
    if (err == MP_OKAY) {
        err = sp_1024_mod_mul_norm_18(q->y, q->y, p1024_mod);
    }
    if (err == MP_OKAY) {
        /* Generate pre-computation table: 1, 3, ... , 31 */
        XMEMCPY(&pre_p[0], p, sizeof(sp_point_1024));
        XMEMSET(pre_vx[0], 0, sizeof(sp_digit) * 2 * 18);
        pre_vx[0][0] = 1;
        XMEMSET(pre_vy[0], 0, sizeof(sp_digit) * 2 * 18);
        sp_1024_mont_sub_18(pre_nvy[0], p1024_mod, pre_vy[0], p1024_mod);

        /* [2]P for adding */
        XMEMCPY(c, p, sizeof(sp_point_1024));
        XMEMSET(vx, 0, sizeof(sp_digit) * 2 * 18);
        vx[0] = 1;
        XMEMSET(vy, 0, sizeof(sp_digit) * 2 * 18);
        sp_1024_accumulate_line_dbl_18(vx, vy, c, q, t);

        /* 3, 5, ... */
        for (i = 1; i < 16; i++) {
            XMEMCPY(&pre_p[i], &pre_p[i-1], sizeof(sp_point_1024));
            XMEMCPY(pre_vx[i], pre_vx[i-1], sizeof(sp_digit) * 2 * 18);
            XMEMCPY(pre_vy[i], pre_vy[i-1], sizeof(sp_digit) * 2 * 18);
            sp_1024_proj_mul_18(pre_vx[i], pre_vy[i], vx, vy, t);
            sp_1024_accumulate_line_add_n_18(pre_vx[i], pre_vy[i], c,
                    q, &pre_p[i], t, 0);
            sp_1024_mont_sub_18(pre_nvy[i], p1024_mod, pre_vy[i], p1024_mod);
        }

        j = sp_1024_order_op[0] / 2;
        XMEMCPY(c, &pre_p[j], sizeof(sp_point_1024));
        XMEMCPY(vx, pre_vx[j], sizeof(sp_digit) * 2 * 18);
        XMEMCPY(vy, pre_vy[j], sizeof(sp_digit) * 2 * 18);

        /* Accumulate line into v and double point n times. */
        sp_1024_accumulate_line_dbl_n_18(vx, vy, c, q,
                sp_1024_order_op[1], t);

        for (i = 2; i < 290; i += 2) {
            j = sp_1024_order_op[i];
            if (j > 0) {
                j /= 2;
                /* Accumulate line into v and add P into C. */
                sp_1024_proj_mul_18(vx, vy, pre_vx[j], pre_vy[j], t);
                sp_1024_accumulate_line_add_n_18(vx, vy, &pre_p[j], q, c,
                    t, 0);
            }
            else {
                j = -j / 2;
                /* Accumulate line into v and add P into C. */
                sp_1024_proj_mul_18(vx, vy, pre_vx[j], pre_nvy[j], t);
                sp_1024_accumulate_line_add_n_18(vx, vy, &pre_p[j], q, c,
                    t, 1);
            }

            /* Accumulate line into v and double point n times. */
            sp_1024_accumulate_line_dbl_n_18(vx, vy, c, q,
                    sp_1024_order_op[i + 1], t);
        }

        /* Final exponentiation */
        sp_1024_proj_sqr_18(vx, vy, t);
        sp_1024_proj_sqr_18(vx, vy, t);

        /* Convert from PF_p[q] to F_p */
        sp_1024_mont_inv_18(vx, vx, t);
        sp_1024_mont_mul_18(r, vx, vy, p1024_mod, p1024_mp_mod);
        XMEMSET(r + 18, 0, sizeof(sp_digit) * 18);
        sp_1024_mont_reduce_18(r, p1024_mod, p1024_mp_mod);

        err = sp_1024_to_mp(r, res);
    }

#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
    if (td != NULL) {
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
    }
#endif
    sp_1024_point_free_18(c, 1, NULL);
    sp_1024_point_free_18(q, 1, NULL);
    sp_1024_point_free_18(p, 1, NULL);
    return err;
}

#endif /* WOLFSSL_SP_SMALL */
#ifdef WOLFSSL_SP_SMALL
/*
 * Generate table for pairing.
 *
 * Small implementation does not use a table - returns 0 length.
 *
 * pm     [in]      Point to generate table for.
 * table  [in]      Generated table.
 * len    [in,out]  On in, the size of the buffer.
 *                  On out, length of table generated.
 * @return  0 on success.
 *          LENGTH_ONLY_E when table is NULL and only length returned.
 *          BUFFER_E when len is too small.
 */
int sp_Pairing_gen_precomp_1024(const ecc_point* pm, byte* table,
        word32* len)
{
    int err = 0;

    if (table == NULL) {
        *len = 0;
        err = LENGTH_ONLY_E;
    }
    else if (*len != 0) {
        err = BUFFER_E;
    }

    (void)*pm;

    return err;
}

/*
 * Calculate r = pairing <P, Q>.
 *
 * That is, multiply base in PF_p[q] by the scalar s, such that s.P = Q.
 *
 * Small implementation does not use a table - use the normal implementation.
 *
 * @param  [in]  pm     First point on E(F_p)[q].
 * @param  [in]  qm     Second point on E(F_p)[q].
 * @param  [in]  res    Result of calculation.
 * @param  [in]  table  Precomputed table of values.
 * @param  [in]  len    Length of precomputed table of values in bytes.
 * @return  0 on success.
 * @return  MEMORY_E when dynamic memory allocation fails.
 */
int sp_Pairing_precomp_1024(const ecc_point* pm, const ecc_point* qm,
    mp_int* res, const byte* table, word32 len)
{
    (void)table;
    (void)len;
    return sp_Pairing_1024(pm, qm, res);
}

#else
/*
 * Calc l and c for the point when doubling p.
 *
 * l = 3 * (p.x^2 - 1) / (2 * p.y)
 * c = l * p.x - p.y
 *
 * @param  [out]  lr  Gradient result - table entry.
 * @param  [out]  cr  Constant result - table entry.
 * @param  [in]   px  X-ordinate of point to double.
 * @param  [in]   py  Y-ordinate of point to double.
 * @param  [in]   t   SP temporaries (3 used).
 */
static void sp_1024_accum_dbl_calc_lc_18(sp_digit* lr, sp_digit* cr,
        const sp_digit* px, const sp_digit* py, sp_digit* t)
{
    sp_digit* t1 = t + 33 * 2 * 18;
    sp_digit* t2 = t + 34 * 2 * 18;
    sp_digit* l  = t + 35 * 2 * 18;

    /* l = 1 / 2 * p.y */
    sp_1024_mont_dbl_18(l, py, p1024_mod);
    sp_1024_mont_inv_18(l, l, t);

    /* t1 = p.x^2 */
    sp_1024_mont_sqr_18(t1, px, p1024_mod, p1024_mp_mod);
    /* t1 = p.x - 1 */
    sp_1024_mont_sub_18(t1, t1, p1024_norm_mod, p1024_mod);
    /* t1 = 3 * (p.x^2 - 1) */
    sp_1024_mont_dbl_18(t2, t1, p1024_mod);
    sp_1024_mont_add_18(t1, t1, t2, p1024_mod);
    /* t1 = 3 * (p.x^2 - 1) / (2 * p.y) */
    sp_1024_mont_mul_18(l, l, t1, p1024_mod, p1024_mp_mod);
    /* t2 = l * p.x */
    sp_1024_mont_mul_18(t2, l, px, p1024_mod, p1024_mp_mod);
    /* c = t2 = l * p.x - p.y */
    sp_1024_mont_sub_18(t2, t2, py, p1024_mod);

    XMEMCPY(lr, l, sizeof(sp_digit) * 18);
    XMEMCPY(cr, t2, sizeof(sp_digit) * 18);
}

/*
 * Calc l and c when adding p and c.
 *
 * l = (c.y - p.y) / (c.x - p.x)
 * c = (p.x * c.y - cx * p.y) / (cx - p.x)
 *
 * @param  [out]  lr  Gradient result - table entry.
 * @param  [out]  cr  Constant result - table entry.
 * @param  [in]   px  X-ordinate of point to add.
 * @param  [in]   py  Y-ordinate of point to add.
 * @param  [in]   cx  X-ordinate of current point.
 * @param  [in]   cy  Y-ordinate of current point.
 * @param  [in]   t   SP temporaries (3 used).
 */
static void sp_1024_accum_add_calc_lc_18(sp_digit* lr, sp_digit* cr,
        const sp_digit* px, const sp_digit* py, const sp_digit* cx,
        const sp_digit* cy, sp_digit* t)
{
    sp_digit* t1 = t + 33 * 2 * 18;
    sp_digit* c  = t + 34 * 2 * 18;
    sp_digit* l  = t + 35 * 2 * 18;

    /* l = 1 / (c.x - p.x) */
    sp_1024_mont_sub_18(l, cx, px, p1024_mod);
    sp_1024_mont_inv_18(l, l, t);

    /* c = p.x * c.y */
    sp_1024_mont_mul_18(c, px, cy, p1024_mod, p1024_mp_mod);
    /* t1 = c.x * p.y */
    sp_1024_mont_mul_18(t1, cx, py, p1024_mod, p1024_mp_mod);
    /* c = (p.x * c.y) - (c.x * p.y) */
    sp_1024_mont_sub_18(c, c, t1, p1024_mod);
    /* c = ((p.x * c.y) - (c.x * p.y)) / (c.x - p.x) */
    sp_1024_mont_mul_18(c, c, l, p1024_mod, p1024_mp_mod);
    /* t1 = c.y - p.y */
    sp_1024_mont_sub_18(t1, cy, py, p1024_mod);
    /* l = (c.y - p.y) / (c.x - p.x) */
    sp_1024_mont_mul_18(l, t1, l, p1024_mod, p1024_mp_mod);

    XMEMCPY(lr, l, sizeof(sp_digit) * 18);
    XMEMCPY(cr, c, sizeof(sp_digit) * 18);
}

/*
 * Calculate vx and vy given gradient l and constant c and point q.
 *
 * l is a the gradient and is multiplied by q->x.
 * c is a the constant that is added to the multiplicative result.
 * q->y is the y-ordinate in result to multiply.
 *
 * if dbl
 *   v*  = v*^2
 * r.x = l * q.x + c
 * r.y = q->y
 * v*  = v* * r*
 *
 * @param  [in,out]  vx     X-ordinate of projective value in F*.
 * @param  [in,out]  vy     Y-ordinate of projective value in F*.
 * @param  [in]      l      Gradient to multiply with.
 * @param  [in]      c      Constant to add with.
 * @param  [in]      q      ECC point - second point on E(F_P^2).
 * @param  [in]      t      SP temporaries (3 used).
 * @param  [in]      dbl    Indicates whether this is for doubling. Otherwise
 *                          adding.
 */
static void sp_1024_accumulate_line_lc_18(sp_digit* vx, sp_digit* vy,
        const sp_digit* l, const sp_digit* c, const sp_point_1024* q,
        sp_digit* t, int dbl)
{
    sp_digit* rx = t + 4 * 2 * 18;

    /* v = v^2 */
    if (dbl) {
        sp_1024_proj_sqr_18(vx, vy, t);
    }
    /* rx = l * q.x + c */
    sp_1024_mont_mul_18(rx, l, q->x, p1024_mod, p1024_mp_mod);
    sp_1024_mont_add_18(rx, rx, c, p1024_mod);
    /* v = v^2 * r */
    sp_1024_proj_mul_18(vx, vy, rx, q->y, t);
}

/* Operations to perform based on order - 1.
 * Sliding window. Start at bottom and stop when bottom bit is one.
 * Subtract if top bit in window is one.
 * Width of 6 bits.
 * Pairs: #dbls, add/subtract window value
 */
static const signed char sp_1024_order_op_pre[] = {
   5,   6, -13,   9, -21,   6,  -5,   8,  31,   6,   3,   6, -27,   6,  25,   9,
  -1,   6, -11,   6, -13,   6,  -7,   6, -15,   6, -29,   7,  25,   6,  -9,   6,
 -19,   7,   3,   6,  11,   9, -23,   6,   1,   6,  27,   6,   1,   7, -25,   8,
  13,   7, -13,   7, -23,  10,  19,   7,   7,   7,  -3,   7,  27,   6,  -7,   7,
 -21,   7,  11,   7,  31,   8,   1,   7, -23,   6, -17,   6,  -3,  10,  11,   6,
 -21,   7, -27,  11, -29,   6,  -1,  10,  15,   8,  27,   7,  17,   6,  17,   7,
 -13,   8,  13,   6,  21,   7, -29,   6,  19,   7, -25,   6,  11,   9,  29,   7,
  -7,   8,  27,   7,  29,  10,  -1,   8,  -7,   8,  17,   6,  17,   7, -27,   7,
 -21,   6,  -9,   6, -27,  12, -23,   6,  19,   6,  13,   6, -11,   7,  27,   6,
  17,   6,  -7,   6, -25,   7, -29,   6,   9,   7,   7,   6,  13,   6, -25,   6,
 -19,   6,  13,   6, -11,   6,   5,   8,  19,   6, -21,   8,  23,   7,  27,   6,
 -13,   6, -19,  11,  29,   7, -15,   6,  -9,   7, -21,  10,  -3,   7,  21,  10,
  25,   6, -15,   6, -23,   6,  21,   6,   1,   6,  21,   7,  -3,   6,  -3,   7,
  -7,   6, -23,   7,   7,   8,  15,   9,   5,   6, -11,   6,  21,  11, -27,   7,
  27,   6, -11,   6,  31,   6, -21,   6,  19,   6,  -7,   8,  -7,  13,  -3,   6,
  -7,   7,  -3,   6,   1,   6,   7,   8,  19,   8,  11,   9,  -9,   7, -31,  12,
  25,   6, -17,   9, -15,   7,   5,   6,  25,   7,  -5,   7, -25,   6,  17,   8,
 -19,   6, -13,   6,  27,   8,   1,   7,  -5,   7,  -1,   6,  21,   6,   3,  10,
  -3,   1,
};

/*
 * Generate table for pairing.
 *
 * Calculate the graident (l) and constant (c) at each step of the way.
 * Sliding window. Start at bottom and stop when bottom bit is one.
 * Subtract if top bit in window is one.
 * Width of 6 bits.
 *
 * pm     [in]      Point to generate table for.
 * table  [in]      Generated table.
 * len    [in,out]  On in, the size of the buffer.
 *                  On out, length of table generated.
 * @return  0 on success.
 *          LENGTH_ONLY_E when table is NULL and only length returned.
 *          BUFFER_E when len is too small.
 *          MEMORY_E when dynamic memory allocation fauls.
 */
int sp_Pairing_gen_precomp_1024(const ecc_point* pm, byte* table,
        word32* len)
{
    int err = 0;
#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
    sp_digit* td = NULL;
    sp_digit* t;
    sp_point_1024* pre_p;
#else
    sp_digit t[36 * 2 * 18];
    sp_point_1024 pre_p[16];
    sp_point_1024 pd;
    sp_point_1024 cd;
    sp_point_1024 negd;
#endif
    sp_point_1024* p = NULL;
    sp_point_1024* c = NULL;
    sp_point_1024* neg = NULL;
    int i;
    int j;
    int k;
    sp_table_entry_1024* precomp = (sp_table_entry_1024*)table;

    if (table == NULL) {
        *len = sizeof(sp_table_entry_1024) * 1167;
        err = LENGTH_ONLY_E;
    }

    if ((err == MP_OKAY) &&
            (*len < (int)(sizeof(sp_table_entry_1024) * 1167))) {
        err = BUFFER_E;
    }

    if (err == MP_OKAY) {
        err = sp_1024_point_new_18(NULL, pd, p);
    }
    if (err == MP_OKAY) {
        err = sp_1024_point_new_18(NULL, cd, c);
    }
    if (err == MP_OKAY) {
        err = sp_1024_point_new_18(NULL, negd, neg);
    }

#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 36 * 18 * 2 + 16 *
            sizeof(sp_point_1024), NULL, DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL) {
            err = MEMORY_E;
        }
    }
#endif

    if (err == MP_OKAY) {
#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
        t     = td;
        pre_p = (sp_point_1024*)(td + 36 * 18 * 2);
#endif

        sp_1024_point_from_ecc_point_18(p, pm);

        err = sp_1024_mod_mul_norm_18(p->x, p->x, p1024_mod);
    }
    if (err == MP_OKAY) {
        err = sp_1024_mod_mul_norm_18(p->y, p->y, p1024_mod);
    }
    if (err == MP_OKAY) {
        XMEMCPY(p->z, p1024_norm_mod, sizeof(p1024_norm_mod));
        neg->infinity = 0;
        c->infinity = 0;

        /* Generate pre-computation table: 1, 3, ... , 31 */
        XMEMCPY(&pre_p[0], p, sizeof(sp_point_1024));
        /* [2]P for adding */
        sp_1024_proj_point_dbl_18(c, p, t);

        /* 1, 3, ... */
        for (i = 1; i < 16; i++) {
            sp_1024_proj_point_add_18(&pre_p[i], &pre_p[i-1], c, t);
            sp_1024_mont_map_18(&pre_p[i], t);
        }

        k = 0;
        j = sp_1024_order_op_pre[0] / 2;
        XMEMCPY(c, &pre_p[j], sizeof(sp_point_1024));

        for (j = 0; j < sp_1024_order_op_pre[1]; j++) {
            sp_1024_accum_dbl_calc_lc_18(precomp[k].x, precomp[k].y, c->x,
                c->y, t);
            k++;
            sp_1024_proj_point_dbl_18(c, c, t);
            sp_1024_mont_map_18(c, t);
        }

        for (i = 2; i < 290; i += 2) {
            j = sp_1024_order_op_pre[i];
            if (j > 0) {
                sp_1024_accum_add_calc_lc_18(precomp[k].x, precomp[k].y,
                    pre_p[j/2].x, pre_p[j/2].y, c->x, c->y, t);
                k++;
                sp_1024_proj_point_add_18(c, c, &pre_p[j/2], t);
                sp_1024_mont_map_18(c, t);
            }
            else {
                XMEMCPY(neg->x, pre_p[-j / 2].x, sizeof(pre_p->x));
                sp_1024_mont_sub_18(neg->y, p1024_mod, pre_p[-j / 2].y,
                        p1024_mod);
                XMEMCPY(neg->z, pre_p[-j / 2].z, sizeof(pre_p->z));

                sp_1024_accum_add_calc_lc_18(precomp[k].x, precomp[k].y,
                    neg->x, neg->y, c->x, c->y, t);
                k++;
                sp_1024_proj_point_add_18(c, c, neg, t);
                sp_1024_mont_map_18(c, t);
            }

            for (j = 0; j < sp_1024_order_op_pre[i + 1]; j++) {
                sp_1024_accum_dbl_calc_lc_18(precomp[k].x, precomp[k].y, c->x,
                    c->y, t);
                k++;
                sp_1024_proj_point_dbl_18(c, c, t);
                sp_1024_mont_map_18(c, t);
            }
        }

        *len = sizeof(sp_table_entry_1024) * 1167;
    }

#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
    if (td != NULL) {
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
    }
#endif
    sp_1024_point_free_18(neg, 1, NULL);
    sp_1024_point_free_18(c, 1, NULL);
    sp_1024_point_free_18(p, 1, NULL);
    return err;
}

/*
 * Calculate r = pairing <P, Q>.
 *
 * That is, multiply base in PF_p[q] by the scalar s, such that s.P = Q.
 *
 * Sliding window. Start at bottom and stop when bottom bit is one.
 * Subtract if top bit in window is one.
 * Width of 6 bits.
 * Pre-generate values in window (1, 3, ...) - only V.
 * Table contains all gradient l and a constant for each point on the path.
 *
 * @param  [in]  pm     First point on E(F_p)[q].
 * @param  [in]  qm     Second point on E(F_p)[q].
 * @param  [in]  res    Result of calculation.
 * @param  [in]  table  Precomputed table of values.
 * @param  [in]  len    Length of precomputed table of values in bytes.
 * @return  0 on success.
 * @return  MEMORY_E when dynamic memory allocation fails.
 */
int sp_Pairing_precomp_1024(const ecc_point* pm, const ecc_point* qm,
    mp_int* res, const byte* table, word32 len)
{
    int err = 0;
#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
    sp_digit* td = NULL;
    sp_digit* t;
    sp_digit* vx;
    sp_digit* vy;
    sp_digit (*pre_vx)[36];
    sp_digit (*pre_vy)[36];
    sp_digit (*pre_nvy)[36];
#else
    sp_digit t[36 * 2 * 18];
    sp_digit vx[2 * 18];
    sp_digit vy[2 * 18];
    sp_digit pre_vx[16][36];
    sp_digit pre_vy[16][36];
    sp_digit pre_nvy[16][36];
    sp_point_1024 pd;
    sp_point_1024 qd;
    sp_point_1024 cd;
#endif
    sp_point_1024* p = NULL;
    sp_point_1024* q = NULL;
    sp_point_1024* c = NULL;
    sp_digit* r = NULL;
    int i;
    int j;
    int k;
    const sp_table_entry_1024* precomp = (const sp_table_entry_1024*)table;

    if (len < (int)(sizeof(sp_table_entry_1024) * 1167)) {
        err = BUFFER_E;
    }

    if (err == MP_OKAY) {
        err = sp_1024_point_new_18(NULL, pd, p);
    }
    if (err == MP_OKAY) {
        err = sp_1024_point_new_18(NULL, qd, q);
    }
    if (err == MP_OKAY) {
        err = sp_1024_point_new_18(NULL, cd, c);
    }

#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
    if (err == MP_OKAY) {
        td = (sp_digit*)XMALLOC(sizeof(sp_digit) * 86 * 18 * 2, NULL,
                                DYNAMIC_TYPE_TMP_BUFFER);
        if (td == NULL) {
            err = MEMORY_E;
        }
    }
#endif

    if (err == MP_OKAY) {
#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
        t       = td;
        vx      = td + 36 * 18 * 2;
        vy      = td + 37 * 18 * 2;
        pre_vx  = (sp_digit(*)[36])(td + 38 * 18 * 2);
        pre_vy  = (sp_digit(*)[36])(td + 54 * 18 * 2);
        pre_nvy = (sp_digit(*)[36])(td + 70 * 18 * 2);
#endif
        r = vy;

        sp_1024_point_from_ecc_point_18(p, pm);
        sp_1024_point_from_ecc_point_18(q, qm);

        err = sp_1024_mod_mul_norm_18(p->x, p->x, p1024_mod);
    }
    if (err == MP_OKAY) {
        err = sp_1024_mod_mul_norm_18(p->y, p->y, p1024_mod);
    }
    if (err == MP_OKAY) {
        err = sp_1024_mod_mul_norm_18(p->z, p->z, p1024_mod);
    }
    if (err == MP_OKAY) {
        err = sp_1024_mod_mul_norm_18(q->x, q->x, p1024_mod);
    }
    if (err == MP_OKAY) {
        err = sp_1024_mod_mul_norm_18(q->y, q->y, p1024_mod);
    }
    if (err == MP_OKAY) {
        /* Generate pre-computation table: 1, 3, ... , 31 */
        XMEMSET(pre_vx[0], 0, sizeof(sp_digit) * 2 * 18);
        pre_vx[0][0] = 1;
        XMEMSET(pre_vy[0], 0, sizeof(sp_digit) * 2 * 18);
        sp_1024_mont_sub_18(pre_nvy[0], p1024_mod, pre_vy[0], p1024_mod);

        /* [2]P for adding */
        XMEMCPY(c, p, sizeof(sp_point_1024));
        XMEMSET(vx, 0, sizeof(sp_digit) * 2 * 18);
        vx[0] = 1;
        XMEMSET(vy, 0, sizeof(sp_digit) * 2 * 18);
        sp_1024_accumulate_line_dbl_18(vx, vy, c, q, t);

        /* 3, 5, ... */
        for (i = 1; i < 16; i++) {
            XMEMCPY(pre_vx[i], pre_vx[i-1], sizeof(sp_digit) * 2 * 18);
            XMEMCPY(pre_vy[i], pre_vy[i-1], sizeof(sp_digit) * 2 * 18);
            sp_1024_proj_mul_18(pre_vx[i], pre_vy[i], vx, vy, t);
            sp_1024_accumulate_line_add_n_18(pre_vx[i], pre_vy[i], c,
                q, p, t, 0);
            sp_1024_mont_sub_18(pre_nvy[i], p1024_mod, pre_vy[i],
                p1024_mod);
        }

        XMEMCPY(c->z, p1024_norm_mod, sizeof(sp_digit) * 18);
        c->infinity = 0;
        j = sp_1024_order_op_pre[0] / 2;
        XMEMCPY(vx, pre_vx[j], sizeof(sp_digit) * 2 * 18);
        XMEMCPY(vy, pre_vy[j], sizeof(sp_digit) * 2 * 18);

        k = 0;
        for (j = 0; j < sp_1024_order_op_pre[1]; j++) {
            /* Accumulate line into v and double point. */
            sp_1024_accumulate_line_lc_18(vx, vy, precomp[k].x,
                precomp[k].y, q, t, 1);
            k++;
        }

        for (i = 2; i < 290; i += 2) {
            sp_1024_accumulate_line_lc_18(vx, vy, precomp[k].x,
                precomp[k].y, q, t, 0);
            k++;

            j = sp_1024_order_op_pre[i];
            if (j > 0) {
                j /= 2;
                /* Accumulate line into v. */
                sp_1024_proj_mul_18(vx, vy, pre_vx[j], pre_vy[j], t);
            }
            else {
                j = -j / 2;
                /* Accumulate line into v. */
                sp_1024_proj_mul_18(vx, vy, pre_vx[j], pre_nvy[j], t);
            }

            for (j = 0; j < sp_1024_order_op_pre[i + 1]; j++) {
                /* Accumulate line into v and double point. */
                sp_1024_accumulate_line_lc_18(vx, vy, precomp[k].x,
                    precomp[k].y, q, t, 1);
                k++;
            }
        }

        /* Final exponentiation */
        sp_1024_proj_sqr_18(vx, vy, t);
        sp_1024_proj_sqr_18(vx, vy, t);

        /* Convert from PF_p[q] to F_p */
        sp_1024_mont_inv_18(vx, vx, t);
        sp_1024_mont_mul_18(r, vx, vy, p1024_mod, p1024_mp_mod);
        XMEMSET(r + 18, 0, sizeof(sp_digit) * 18);
        sp_1024_mont_reduce_18(r, p1024_mod, p1024_mp_mod);

        err = sp_1024_to_mp(r, res);
    }

#if (defined(WOLFSSL_SP_SMALL) && !defined(WOLFSSL_SP_NO_MALLOC)) || \
    defined(WOLFSSL_SP_SMALL_STACK)
    if (td != NULL) {
        XFREE(td, NULL, DYNAMIC_TYPE_TMP_BUFFER);
    }
#endif
    sp_1024_point_free_18(c, 1, NULL);
    sp_1024_point_free_18(q, 1, NULL);
    sp_1024_point_free_18(p, 1, NULL);
    return err;
}

#endif /* WOLFSSL_SP_SMALL */
#ifdef HAVE_ECC_CHECK_KEY
/* Read big endian unsigned byte array into r.
 *
 * r  A single precision integer.
 * size  Maximum number of bytes to convert
 * a  Byte array.
 * n  Number of bytes in array to read.
 */
static void sp_1024_from_bin(sp_digit* r, int size, const byte* a, int n)
{
    int i;
    int j = 0;
    word32 s = 0;

    r[0] = 0;
    for (i = n-1; i >= 0; i--) {
        r[j] |= (((sp_digit)a[i]) << s);
        if (s >= 49U) {
            r[j] &= 0x1ffffffffffffffL;
            s = 57U - s;
            if (j + 1 >= size) {
                break;
            }
            r[++j] = (sp_digit)a[i] >> s;
            s = 8U - s;
        }
        else {
            s += 8U;
        }
    }

    for (j++; j < size; j++) {
        r[j] = 0;
    }
}

/* Check that the x and y ordinates are a valid point on the curve.
 *
 * point  EC point.
 * heap   Heap to use if dynamically allocating.
 * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
 * not on the curve and MP_OKAY otherwise.
 */
static int sp_1024_ecc_is_point_18(const sp_point_1024* point,
    void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* t1 = NULL;
#else
    sp_digit t1[18 * 4];
#endif
    sp_digit* t2 = NULL;
    sp_int64 n;
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    t1 = (sp_digit*)XMALLOC(sizeof(sp_digit) * 18 * 4, heap, DYNAMIC_TYPE_ECC);
    if (t1 == NULL)
        err = MEMORY_E;
#endif
    (void)heap;

    if (err == MP_OKAY) {
        t2 = t1 + 2 * 18;

        /* y^2 - x^3 - a.x = b */
        sp_1024_sqr_18(t1, point->y);
        (void)sp_1024_mod_18(t1, t1, p1024_mod);
        sp_1024_sqr_18(t2, point->x);
        (void)sp_1024_mod_18(t2, t2, p1024_mod);
        sp_1024_mul_18(t2, t2, point->x);
        (void)sp_1024_mod_18(t2, t2, p1024_mod);
        sp_1024_mont_sub_18(t1, t1, t2, p1024_mod);

        /* y^2 - x^3 + 3.x = b, when a = -3  */
        sp_1024_mont_add_18(t1, t1, point->x, p1024_mod);
        sp_1024_mont_add_18(t1, t1, point->x, p1024_mod);
        sp_1024_mont_add_18(t1, t1, point->x, p1024_mod);


        n = sp_1024_cmp_18(t1, p1024_mod);
        sp_1024_cond_sub_18(t1, t1, p1024_mod, ~(n >> 56));
        sp_1024_norm_18(t1);
        if (!sp_1024_iszero_18(t1)) {
            err = MP_VAL;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (t1 != NULL)
        XFREE(t1, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

/* Check that the x and y ordinates are a valid point on the curve.
 *
 * pX  X ordinate of EC point.
 * pY  Y ordinate of EC point.
 * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
 * not on the curve and MP_OKAY otherwise.
 */
int sp_ecc_is_point_1024(const mp_int* pX, const mp_int* pY)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_point_1024* pub = NULL;
#else
    sp_point_1024 pub[1];
#endif
    const byte one[1] = { 1 };
    int err = MP_OKAY;

#ifdef WOLFSSL_SP_SMALL_STACK
    pub = (sp_point_1024*)XMALLOC(sizeof(sp_point_1024), NULL,
                                       DYNAMIC_TYPE_ECC);
    if (pub == NULL)
        err = MEMORY_E;
#endif

    if (err == MP_OKAY) {
        sp_1024_from_mp(pub->x, 18, pX);
        sp_1024_from_mp(pub->y, 18, pY);
        sp_1024_from_bin(pub->z, 18, one, (int)sizeof(one));

        err = sp_1024_ecc_is_point_18(pub, NULL);
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (pub != NULL)
        XFREE(pub, NULL, DYNAMIC_TYPE_ECC);
#endif

    return err;
}

/* Check that the private scalar generates the EC point (px, py), the point is
 * on the curve and the point has the correct order.
 *
 * pX     X ordinate of EC point.
 * pY     Y ordinate of EC point.
 * privm  Private scalar that generates EC point.
 * returns MEMORY_E if dynamic memory allocation fails, MP_VAL if the point is
 * not on the curve, ECC_INF_E if the point does not have the correct order,
 * ECC_PRIV_KEY_E when the private scalar doesn't generate the EC point and
 * MP_OKAY otherwise.
 */
int sp_ecc_check_key_1024(const mp_int* pX, const mp_int* pY,
    const mp_int* privm, void* heap)
{
#ifdef WOLFSSL_SP_SMALL_STACK
    sp_digit* priv = NULL;
    sp_point_1024* pub = NULL;
#else
    sp_digit priv[18];
    sp_point_1024 pub[2];
#endif
    sp_point_1024* p = NULL;
    const byte one[1] = { 1 };
    int err = MP_OKAY;


    /* Quick check the lengs of public key ordinates and private key are in
     * range. Proper check later.
     */
    if (((mp_count_bits(pX) > 1024) ||
        (mp_count_bits(pY) > 1024) ||
        ((privm != NULL) && (mp_count_bits(privm) > 1024)))) {
        err = ECC_OUT_OF_RANGE_E;
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (err == MP_OKAY) {
        pub = (sp_point_1024*)XMALLOC(sizeof(sp_point_1024) * 2, heap,
                                           DYNAMIC_TYPE_ECC);
        if (pub == NULL)
            err = MEMORY_E;
    }
    if (err == MP_OKAY && privm) {
        priv = (sp_digit*)XMALLOC(sizeof(sp_digit) * 18, heap,
                                  DYNAMIC_TYPE_ECC);
        if (priv == NULL)
            err = MEMORY_E;
    }
#endif

    if (err == MP_OKAY) {
        p = pub + 1;

        sp_1024_from_mp(pub->x, 18, pX);
        sp_1024_from_mp(pub->y, 18, pY);
        sp_1024_from_bin(pub->z, 18, one, (int)sizeof(one));
        if (privm)
            sp_1024_from_mp(priv, 18, privm);

        /* Check point at infinitiy. */
        if ((sp_1024_iszero_18(pub->x) != 0) &&
            (sp_1024_iszero_18(pub->y) != 0)) {
            err = ECC_INF_E;
        }
    }

    /* Check range of X and Y */
    if ((err == MP_OKAY) &&
            ((sp_1024_cmp_18(pub->x, p1024_mod) >= 0) ||
             (sp_1024_cmp_18(pub->y, p1024_mod) >= 0))) {
        err = ECC_OUT_OF_RANGE_E;
    }

    if (err == MP_OKAY) {
        /* Check point is on curve */
        err = sp_1024_ecc_is_point_18(pub, heap);
    }

    if (err == MP_OKAY) {
        /* Point * order = infinity */
            err = sp_1024_ecc_mulmod_18(p, pub, p1024_order, 1, 1, heap);
    }
    /* Check result is infinity */
    if ((err == MP_OKAY) && ((sp_1024_iszero_18(p->x) == 0) ||
                             (sp_1024_iszero_18(p->y) == 0))) {
        err = ECC_INF_E;
    }

    if (privm) {
        if (err == MP_OKAY) {
            /* Base * private = point */
                err = sp_1024_ecc_mulmod_base_18(p, priv, 1, 1, heap);
        }
        /* Check result is public key */
        if ((err == MP_OKAY) &&
                ((sp_1024_cmp_18(p->x, pub->x) != 0) ||
                 (sp_1024_cmp_18(p->y, pub->y) != 0))) {
            err = ECC_PRIV_KEY_E;
        }
    }

#ifdef WOLFSSL_SP_SMALL_STACK
    if (pub != NULL)
        XFREE(pub, heap, DYNAMIC_TYPE_ECC);
    if (priv != NULL)
        XFREE(priv, heap, DYNAMIC_TYPE_ECC);
#endif

    return err;
}
#endif
#endif /* WOLFSSL_SP_1024 */
#endif /* WOLFCRYPT_HAVE_SAKKE */
#endif /* WOLFSSL_HAVE_SP_ECC */
#endif /* SP_WORD_SIZE == 64 */
#endif /* !WOLFSSL_SP_ASM */
#endif /* WOLFSSL_HAVE_SP_RSA | WOLFSSL_HAVE_SP_DH | WOLFSSL_HAVE_SP_ECC */