xref: /dports/net/freeswitch/freeswitch-1.10.3.-release/libs/libzrtp/third_party/bnlib/lbn64.c

/*
 * Copyright (c) 1995  Colin Plumb.  All rights reserved.
 * For licensing and other legal details, see the file legal.c.
 *
 * lbn64.c - Low-level bignum routines, 64-bit version.
 *
 * NOTE: the magic constants "64" and "128" appear in many places in this
 * file, including inside identifiers.  Because it is not possible to
 * ask "#ifdef" of a macro expansion, it is not possible to use the
 * preprocessor to conditionalize these properly.  Thus, this file is
 * intended to be edited with textual search and replace to produce
 * alternate word size versions.  Any reference to the number of bits
 * in a word must be the string "64", and that string must not appear
 * otherwise.  Any reference to twice this number must appear as "128",
 * which likewise must not appear otherwise.  Is that clear?
 *
 * Remember, when doubling the bit size replace the larger number (128)
 * first, then the smaller (64).  When halving the bit size, do the
 * opposite.  Otherwise, things will get wierd.  Also, be sure to replace
 * every instance that appears.  (:%s/foo/bar/g in vi)
 *
 * These routines work with a pointer to the least-significant end of
 * an array of WORD64s.  The BIG(x), LITTLE(y) and BIGLTTLE(x,y) macros
 * defined in lbn.h (which expand to x on a big-edian machine and y on a
 * little-endian machine) are used to conditionalize the code to work
 * either way.  If you have no assembly primitives, it doesn't matter.
 * Note that on a big-endian machine, the least-significant-end pointer
 * is ONE PAST THE END.  The bytes are ptr[-1] through ptr[-len].
 * On little-endian, they are ptr[0] through ptr[len-1].  This makes
 * perfect sense if you consider pointers to point *between* bytes rather
 * than at them.
 *
 * Because the array index values are unsigned integers, ptr[-i]
 * may not work properly, since the index -i is evaluated as an unsigned,
 * and if pointers are wider, zero-extension will produce a positive
 * number rahter than the needed negative.  The expression used in this
 * code, *(ptr-i) will, however, work.  (The array syntax is equivalent
 * to *(ptr+-i), which is a pretty subtle difference.)
 *
 * Many of these routines will get very unhappy if fed zero-length inputs.
 * They use assert() to enforce this.  An higher layer of code must make
 * sure that these aren't called with zero-length inputs.
 *
 * Any of these routines can be replaced with more efficient versions
 * elsewhere, by just #defining their names.  If one of the names
 * is #defined, the C code is not compiled in and no declaration is
 * made.  Use the BNINCLUDE file to do that.  Typically, you compile
 * asm subroutines with the same name and just, e.g.
 * #define lbnMulAdd1_64 lbnMulAdd1_64
 *
 * If you want to write asm routines, start with lbnMulAdd1_64().
 * This is the workhorse of modular exponentiation.  lbnMulN1_64() is
 * also used a fair bit, although not as much and it's defined in terms
 * of lbnMulAdd1_64 if that has a custom version.  lbnMulSub1_64 and
 * lbnDiv21_64 are used in the usual division and remainder finding.
 * (Not the Montgomery reduction used in modular exponentiation, though.)
 * Once you have lbnMulAdd1_64 defined, writing the other two should
 * be pretty easy.  (Just make sure you get the sign of the subtraction
 * in lbnMulSub1_64 right - it's dest = dest - source * k.)
 *
 * The only definitions that absolutely need a double-word (BNWORD128)
 * type are lbnMulAdd1_64 and lbnMulSub1_64; if those are provided,
 * the rest follows.  lbnDiv21_64, however, is a lot slower unless you
 * have them, and lbnModQ_64 takes after it.  That one is used quite a
 * bit for prime sieving.
 */

#ifndef HAVE_CONFIG_H
#define HAVE_CONFIG_H 0
#endif
#if HAVE_CONFIG_H
#include "bnconfig.h"
#endif

/*
 * Some compilers complain about #if FOO if FOO isn't defined,
 * so do the ANSI-mandated thing explicitly...
 */
#ifndef NO_ASSERT_H
#define NO_ASSERT_H 0
#endif
#ifndef NO_STRING_H
#define NO_STRING_H 0
#endif
#ifndef HAVE_STRINGS_H
#define HAVE_STRINGS_H 0
#endif

#if !NO_ASSERT_H
#include <assert.h>
#else
#define assert(x) (void)0
#endif

#if !NO_STRING_H
#include <string.h>	/* For memcpy */
#elif HAVE_STRINGS_H
#include <strings.h>
#endif

#include "lbn.h"
#include "lbn64.h"
#include "lbnmem.h"

#include "kludge.h"

#ifndef BNWORD64
#error 64-bit bignum library requires a 64-bit data type
#endif

/* If this is defined, include bnYield() calls */
#if BNYIELD
extern int (*bnYield)(void);	/* From bn.c */
#endif

/*
 * Most of the multiply (and Montgomery reduce) routines use an outer
 * loop that iterates over one of the operands - a so-called operand
 * scanning approach.  One big advantage of this is that the assembly
 * support routines are simpler.  The loops can be rearranged to have
 * an outer loop that iterates over the product, a so-called product
 * scanning approach.  This has the advantage of writing less data
 * and doing fewer adds to memory, so is supposedly faster.  Some
 * code has been written using a product-scanning approach, but
 * it appears to be slower, so it is turned off by default.  Some
 * experimentation would be appreciated.
 *
 * (The code is also annoying to get right and not very well commented,
 * one of my pet peeves about math libraries.  I'm sorry.)
 */
#ifndef PRODUCT_SCAN
#define PRODUCT_SCAN 0
#endif

/*
 * Copy an array of words.  <Marvin mode on>  Thrilling, isn't it? </Marvin>
 * This is a good example of how the byte offsets and BIGLITTLE() macros work.
 * Another alternative would have been
 * memcpy(dest BIG(-len), src BIG(-len), len*sizeof(BNWORD64)), but I find that
 * putting operators into conditional macros is confusing.
 */
#ifndef lbnCopy_64
void
lbnCopy_64(BNWORD64 *dest, BNWORD64 const *src, unsigned len)
{
	memcpy(BIGLITTLE(dest-len,dest), BIGLITTLE(src-len,src),
	       len * sizeof(*src));
}
#endif /* !lbnCopy_64 */

/*
 * Fill n words with zero.  This does it manually rather than calling
 * memset because it can assume alignment to make things faster while
 * memset can't.  Note how big-endian numbers are naturally addressed
 * using predecrement, while little-endian is postincrement.
 */
#ifndef lbnZero_64
void
lbnZero_64(BNWORD64 *num, unsigned len)
{
	while (len--)
		BIGLITTLE(*--num,*num++) = 0;
}
#endif /* !lbnZero_64 */

/*
 * Negate an array of words.
 * Negation is subtraction from zero.  Negating low-order words
 * entails doing nothing until a non-zero word is hit.  Once that
 * is negated, a borrow is generated and never dies until the end
 * of the number is hit.  Negation with borrow, -x-1, is the same as ~x.
 * Repeat that until the end of the number.
 *
 * Doesn't return borrow out because that's pretty useless - it's
 * always set unless the input is 0, which is easy to notice in
 * normalized form.
 */
#ifndef lbnNeg_64
void
lbnNeg_64(BNWORD64 *num, unsigned len)
{
	assert(len);

	/* Skip low-order zero words */
	while (BIGLITTLE(*--num,*num) == 0) {
		if (!--len)
			return;
		LITTLE(num++;)
	}
	/* Negate the lowest-order non-zero word */
	*num = -*num;
	/* Complement all the higher-order words */
	while (--len) {
		BIGLITTLE(--num,++num);
		*num = ~*num;
	}
}
#endif /* !lbnNeg_64 */


/*
 * lbnAdd1_64: add the single-word "carry" to the given number.
 * Used for minor increments and propagating the carry after
 * adding in a shorter bignum.
 *
 * Technique: If we have a double-width word, presumably the compiler
 * can add using its carry in inline code, so we just use a larger
 * accumulator to compute the carry from the first addition.
 * If not, it's more complex.  After adding the first carry, which may
 * be > 1, compare the sum and the carry.  If the sum wraps (causing a
 * carry out from the addition), the result will be less than each of the
 * inputs, since the wrap subtracts a number (2^64) which is larger than
 * the other input can possibly be.  If the sum is >= the carry input,
 * return success immediately.
 * In either case, if there is a carry, enter a loop incrementing words
 * until one does not wrap.  Since we are adding 1 each time, the wrap
 * will be to 0 and we can test for equality.
 */
#ifndef lbnAdd1_64	/* If defined, it's provided as an asm subroutine */
#ifdef BNWORD128
BNWORD64
lbnAdd1_64(BNWORD64 *num, unsigned len, BNWORD64 carry)
{
	BNWORD128 t;
	assert(len > 0);	/* Alternative: if (!len) return carry */

	t = (BNWORD128)BIGLITTLE(*--num,*num) + carry;
	BIGLITTLE(*num,*num++) = (BNWORD64)t;
	if ((t >> 64) == 0)
		return 0;
	while (--len) {
		if (++BIGLITTLE(*--num,*num++) != 0)
			return 0;
	}
	return 1;
}
#else /* no BNWORD128 */
BNWORD64
lbnAdd1_64(BNWORD64 *num, unsigned len, BNWORD64 carry)
{
	assert(len > 0);	/* Alternative: if (!len) return carry */

	if ((BIGLITTLE(*--num,*num++) += carry) >= carry)
		return 0;
	while (--len) {
		if (++BIGLITTLE(*--num,*num++) != 0)
			return 0;
	}
	return 1;
}
#endif
#endif/* !lbnAdd1_64 */

/*
 * lbnSub1_64: subtract the single-word "borrow" from the given number.
 * Used for minor decrements and propagating the borrow after
 * subtracting a shorter bignum.
 *
 * Technique: Similar to the add, above.  If there is a double-length type,
 * use that to generate the first borrow.
 * If not, after subtracting the first borrow, which may be > 1, compare
 * the difference and the *negative* of the carry.  If the subtract wraps
 * (causing a borrow out from the subtraction), the result will be at least
 * as large as -borrow.  If the result < -borrow, then no borrow out has
 * appeared and we may return immediately, except when borrow == 0.  To
 * deal with that case, use the identity that -x = ~x+1, and instead of
 * comparing < -borrow, compare for <= ~borrow.
 * Either way, if there is a borrow out, enter a loop decrementing words
 * until a non-zero word is reached.
 *
 * Note the cast of ~borrow to (BNWORD64).  If the size of an int is larger
 * than BNWORD64, C rules say the number is expanded for the arithmetic, so
 * the inversion will be done on an int and the value won't be quite what
 * is expected.
 */
#ifndef lbnSub1_64	/* If defined, it's provided as an asm subroutine */
#ifdef BNWORD128
BNWORD64
lbnSub1_64(BNWORD64 *num, unsigned len, BNWORD64 borrow)
{
	BNWORD128 t;
	assert(len > 0);	/* Alternative: if (!len) return borrow */

	t = (BNWORD128)BIGLITTLE(*--num,*num) - borrow;
	BIGLITTLE(*num,*num++) = (BNWORD64)t;
	if ((t >> 64) == 0)
		return 0;
	while (--len) {
		if ((BIGLITTLE(*--num,*num++))-- != 0)
			return 0;
	}
	return 1;
}
#else /* no BNWORD128 */
BNWORD64
lbnSub1_64(BNWORD64 *num, unsigned len, BNWORD64 borrow)
{
	assert(len > 0);	/* Alternative: if (!len) return borrow */

	if ((BIGLITTLE(*--num,*num++) -= borrow) <= (BNWORD64)~borrow)
		return 0;
	while (--len) {
		if ((BIGLITTLE(*--num,*num++))-- != 0)
			return 0;
	}
	return 1;
}
#endif
#endif /* !lbnSub1_64 */

/*
 * lbnAddN_64: add two bignums of the same length, returning the carry (0 or 1).
 * One of the building blocks, along with lbnAdd1, of adding two bignums of
 * differing lengths.
 *
 * Technique: Maintain a word of carry.  If there is no double-width type,
 * use the same technique as in lbnAdd1, above, to maintain the carry by
 * comparing the inputs.  Adding the carry sources is used as an OR operator;
 * at most one of the two comparisons can possibly be true.  The first can
 * only be true if carry == 1 and x, the result, is 0.  In that case the
 * second can't possibly be true.
 */
#ifndef lbnAddN_64
#ifdef BNWORD128
BNWORD64
lbnAddN_64(BNWORD64 *num1, BNWORD64 const *num2, unsigned len)
{
	BNWORD128 t;

	assert(len > 0);

	t = (BNWORD128)BIGLITTLE(*--num1,*num1) + BIGLITTLE(*--num2,*num2++);
	BIGLITTLE(*num1,*num1++) = (BNWORD64)t;
	while (--len) {
		t = (BNWORD128)BIGLITTLE(*--num1,*num1) +
		    (BNWORD128)BIGLITTLE(*--num2,*num2++) + (t >> 64);
		BIGLITTLE(*num1,*num1++) = (BNWORD64)t;
	}

	return (BNWORD64)(t>>64);
}
#else /* no BNWORD128 */
BNWORD64
lbnAddN_64(BNWORD64 *num1, BNWORD64 const *num2, unsigned len)
{
	BNWORD64 x, carry = 0;

	assert(len > 0);	/* Alternative: change loop to test at start */

	do {
		x = BIGLITTLE(*--num2,*num2++);
		carry = (x += carry) < carry;
		carry += (BIGLITTLE(*--num1,*num1++) += x) < x;
	} while (--len);

	return carry;
}
#endif
#endif /* !lbnAddN_64 */

/*
 * lbnSubN_64: add two bignums of the same length, returning the carry (0 or 1).
 * One of the building blocks, along with subn1, of subtracting two bignums of
 * differing lengths.
 *
 * Technique: If no double-width type is availble, maintain a word of borrow.
 * First, add the borrow to the subtrahend (did you have to learn all those
 * awful words in elementary school, too?), and if it overflows, set the
 * borrow again.  Then subtract the modified subtrahend from the next word
 * of input, using the same technique as in subn1, above.
 * Adding the borrows is used as an OR operator; at most one of the two
 * comparisons can possibly be true.  The first can only be true if
 * borrow == 1 and x, the result, is 0.  In that case the second can't
 * possibly be true.
 *
 * In the double-word case, (BNWORD64)-(t>>64) is subtracted, rather than
 * adding t>>64, because the shift would need to sign-extend and that's
 * not guaranteed to happen in ANSI C, even with signed types.
 */
#ifndef lbnSubN_64
#ifdef BNWORD128
BNWORD64
lbnSubN_64(BNWORD64 *num1, BNWORD64 const *num2, unsigned len)
{
	BNWORD128 t;

	assert(len > 0);

	t = (BNWORD128)BIGLITTLE(*--num1,*num1) - BIGLITTLE(*--num2,*num2++);
	BIGLITTLE(*num1,*num1++) = (BNWORD64)t;

	while (--len) {
		t = (BNWORD128)BIGLITTLE(*--num1,*num1) -
		    (BNWORD128)BIGLITTLE(*--num2,*num2++) - (BNWORD64)-(t >> 64);
		BIGLITTLE(*num1,*num1++) = (BNWORD64)t;
	}

	return -(BNWORD64)(t>>64);
}
#else
BNWORD64
lbnSubN_64(BNWORD64 *num1, BNWORD64 const *num2, unsigned len)
{
	BNWORD64 x, borrow = 0;

	assert(len > 0);	/* Alternative: change loop to test at start */

	do {
		x = BIGLITTLE(*--num2,*num2++);
		borrow = (x += borrow) < borrow;
		borrow += (BIGLITTLE(*--num1,*num1++) -= x) > (BNWORD64)~x;
	} while (--len);

	return borrow;
}
#endif
#endif /* !lbnSubN_64 */

#ifndef lbnCmp_64
/*
 * lbnCmp_64: compare two bignums of equal length, returning the sign of
 * num1 - num2. (-1, 0 or +1).
 *
 * Technique: Change the little-endian pointers to big-endian pointers
 * and compare from the most-significant end until a difference if found.
 * When it is, figure out the sign of the difference and return it.
 */
int
lbnCmp_64(BNWORD64 const *num1, BNWORD64 const *num2, unsigned len)
{
	BIGLITTLE(num1 -= len, num1 += len);
	BIGLITTLE(num2 -= len, num2 += len);

	while (len--) {
		if (BIGLITTLE(*num1++ != *num2++, *--num1 != *--num2)) {
			if (BIGLITTLE(num1[-1] < num2[-1], *num1 < *num2))
				return -1;
			else
				return 1;
		}
	}
	return 0;
}
#endif /* !lbnCmp_64 */

/*
 * mul64_ppmmaa(ph,pl,x,y,a,b) is an optional routine that
 * computes (ph,pl) = x * y + a + b.  mul64_ppmma and mul64_ppmm
 * are simpler versions.  If you want to be lazy, all of these
 * can be defined in terms of the others, so here we create any
 * that have not been defined in terms of the ones that have been.
 */

/* Define ones with fewer a's in terms of ones with more a's */
#if !defined(mul64_ppmma) && defined(mul64_ppmmaa)
#define mul64_ppmma(ph,pl,x,y,a) mul64_ppmmaa(ph,pl,x,y,a,0)
#endif

#if !defined(mul64_ppmm) && defined(mul64_ppmma)
#define mul64_ppmm(ph,pl,x,y) mul64_ppmma(ph,pl,x,y,0)
#endif

/*
 * Use this definition to test the mul64_ppmm-based operations on machines
 * that do not provide mul64_ppmm.  Change the final "0" to a "1" to
 * enable it.
 */
#if !defined(mul64_ppmm) && defined(BNWORD128) && 0	/* Debugging */
#define mul64_ppmm(ph,pl,x,y) \
	({BNWORD128 _ = (BNWORD128)(x)*(y); (pl) = _; (ph) = _>>64;})
#endif

#if defined(mul64_ppmm) && !defined(mul64_ppmma)
#define mul64_ppmma(ph,pl,x,y,a) \
	(mul64_ppmm(ph,pl,x,y), (ph) += ((pl) += (a)) < (a))
#endif

#if defined(mul64_ppmma) && !defined(mul64_ppmmaa)
#define mul64_ppmmaa(ph,pl,x,y,a,b) \
	(mul64_ppmma(ph,pl,x,y,a), (ph) += ((pl) += (b)) < (b))
#endif

/*
 * lbnMulN1_64: Multiply an n-word input by a 1-word input and store the
 * n+1-word product.  This uses either the mul64_ppmm and mul64_ppmma
 * macros, or C multiplication with the BNWORD128 type.  This uses mul64_ppmma
 * if available, assuming you won't bother defining it unless you can do
 * better than the normal multiplication.
 */
#ifndef lbnMulN1_64
#ifdef lbnMulAdd1_64	/* If we have this asm primitive, use it. */
void
lbnMulN1_64(BNWORD64 *out, BNWORD64 const *in, unsigned len, BNWORD64 k)
{
	lbnZero_64(out, len);
	BIGLITTLE(*(out-len-1),*(out+len)) = lbnMulAdd1_64(out, in, len, k);
}
#elif defined(mul64_ppmm)
void
lbnMulN1_64(BNWORD64 *out, BNWORD64 const *in, unsigned len, BNWORD64 k)
{
	BNWORD64 carry, carryin;

	assert(len > 0);

	BIG(--out;--in;);
	mul64_ppmm(carry, *out, *in, k);
	LITTLE(out++;in++;)

	while (--len) {
		BIG(--out;--in;)
		carryin = carry;
		mul64_ppmma(carry, *out, *in, k, carryin);
		LITTLE(out++;in++;)
	}
	BIGLITTLE(*--out,*out) = carry;
}
#elif defined(BNWORD128)
void
lbnMulN1_64(BNWORD64 *out, BNWORD64 const *in, unsigned len, BNWORD64 k)
{
	BNWORD128 p;

	assert(len > 0);

	p = (BNWORD128)BIGLITTLE(*--in,*in++) * k;
	BIGLITTLE(*--out,*out++) = (BNWORD64)p;

	while (--len) {
		p = (BNWORD128)BIGLITTLE(*--in,*in++) * k + (BNWORD64)(p >> 64);
		BIGLITTLE(*--out,*out++) = (BNWORD64)p;
	}
	BIGLITTLE(*--out,*out) = (BNWORD64)(p >> 64);
}
#else
#error No 64x64 -> 128 multiply available for 64-bit bignum package
#endif
#endif /* lbnMulN1_64 */

/*
 * lbnMulAdd1_64: Multiply an n-word input by a 1-word input and add the
 * low n words of the product to the destination.  *Returns the n+1st word
 * of the product.*  (That turns out to be more convenient than adding
 * it into the destination and dealing with a possible unit carry out
 * of *that*.)  This uses either the mul64_ppmma and mul64_ppmmaa macros,
 * or C multiplication with the BNWORD128 type.
 *
 * If you're going to write assembly primitives, this is the one to
 * start with.  It is by far the most commonly called function.
 */
#ifndef lbnMulAdd1_64
#if defined(mul64_ppmm)
BNWORD64
lbnMulAdd1_64(BNWORD64 *out, BNWORD64 const *in, unsigned len, BNWORD64 k)
{
	BNWORD64 prod, carry, carryin;

	assert(len > 0);

	BIG(--out;--in;);
	carryin = *out;
	mul64_ppmma(carry, *out, *in, k, carryin);
	LITTLE(out++;in++;)

	while (--len) {
		BIG(--out;--in;);
		carryin = carry;
		mul64_ppmmaa(carry, prod, *in, k, carryin, *out);
		*out = prod;
		LITTLE(out++;in++;)
	}

	return carry;
}
#elif defined(BNWORD128)
BNWORD64
lbnMulAdd1_64(BNWORD64 *out, BNWORD64 const *in, unsigned len, BNWORD64 k)
{
	BNWORD128 p;

	assert(len > 0);

	p = (BNWORD128)BIGLITTLE(*--in,*in++) * k + BIGLITTLE(*--out,*out);
	BIGLITTLE(*out,*out++) = (BNWORD64)p;

	while (--len) {
		p = (BNWORD128)BIGLITTLE(*--in,*in++) * k +
		    (BNWORD64)(p >> 64) + BIGLITTLE(*--out,*out);
		BIGLITTLE(*out,*out++) = (BNWORD64)p;
	}

	return (BNWORD64)(p >> 64);
}
#else
#error No 64x64 -> 128 multiply available for 64-bit bignum package
#endif
#endif /* lbnMulAdd1_64 */

/*
 * lbnMulSub1_64: Multiply an n-word input by a 1-word input and subtract the
 * n-word product from the destination.  Returns the n+1st word of the product.
 * This uses either the mul64_ppmm and mul64_ppmma macros, or
 * C multiplication with the BNWORD128 type.
 *
 * This is rather uglier than adding, but fortunately it's only used in
 * division which is not used too heavily.
 */
#ifndef lbnMulSub1_64
#if defined(mul64_ppmm)
BNWORD64
lbnMulSub1_64(BNWORD64 *out, BNWORD64 const *in, unsigned len, BNWORD64 k)
{
	BNWORD64 prod, carry, carryin;

	assert(len > 0);

	BIG(--in;)
	mul64_ppmm(carry, prod, *in, k);
	LITTLE(in++;)
	carry += (BIGLITTLE(*--out,*out++) -= prod) > (BNWORD64)~prod;

	while (--len) {
		BIG(--in;);
		carryin = carry;
		mul64_ppmma(carry, prod, *in, k, carryin);
		LITTLE(in++;)
		carry += (BIGLITTLE(*--out,*out++) -= prod) > (BNWORD64)~prod;
	}

	return carry;
}
#elif defined(BNWORD128)
BNWORD64
lbnMulSub1_64(BNWORD64 *out, BNWORD64 const *in, unsigned len, BNWORD64 k)
{
	BNWORD128 p;
	BNWORD64 carry, t;

	assert(len > 0);

	p = (BNWORD128)BIGLITTLE(*--in,*in++) * k;
	t = BIGLITTLE(*--out,*out);
	carry = (BNWORD64)(p>>64) + ((BIGLITTLE(*out,*out++)=t-(BNWORD64)p) > t);

	while (--len) {
		p = (BNWORD128)BIGLITTLE(*--in,*in++) * k + carry;
		t = BIGLITTLE(*--out,*out);
		carry = (BNWORD64)(p>>64) +
			( (BIGLITTLE(*out,*out++)=t-(BNWORD64)p) > t );
	}

	return carry;
}
#else
#error No 64x64 -> 128 multiply available for 64-bit bignum package
#endif
#endif /* !lbnMulSub1_64 */

/*
 * Shift n words left "shift" bits.  0 < shift < 64.  Returns the
 * carry, any bits shifted off the left-hand side (0 <= carry < 2^shift).
 */
#ifndef lbnLshift_64
BNWORD64
lbnLshift_64(BNWORD64 *num, unsigned len, unsigned shift)
{
	BNWORD64 x, carry;

	assert(shift > 0);
	assert(shift < 64);

	carry = 0;
	while (len--) {
		BIG(--num;)
		x = *num;
		*num = (x<<shift) | carry;
		LITTLE(num++;)
		carry = x >> (64-shift);
	}
	return carry;
}
#endif /* !lbnLshift_64 */

/*
 * An optimized version of the above, for shifts of 1.
 * Some machines can use add-with-carry tricks for this.
 */
#ifndef lbnDouble_64
BNWORD64
lbnDouble_64(BNWORD64 *num, unsigned len)
{
	BNWORD64 x, carry;

	carry = 0;
	while (len--) {
		BIG(--num;)
		x = *num;
		*num = (x<<1) | carry;
		LITTLE(num++;)
		carry = x >> (64-1);
	}
	return carry;
}
#endif /* !lbnDouble_64 */

/*
 * Shift n words right "shift" bits.  0 < shift < 64.  Returns the
 * carry, any bits shifted off the right-hand side (0 <= carry < 2^shift).
 */
#ifndef lbnRshift_64
BNWORD64
lbnRshift_64(BNWORD64 *num, unsigned len, unsigned shift)
{
	BNWORD64 x, carry = 0;

	assert(shift > 0);
	assert(shift < 64);

	BIGLITTLE(num -= len, num += len);

	while (len--) {
		LITTLE(--num;)
		x = *num;
		*num = (x>>shift) | carry;
		BIG(num++;)
		carry = x << (64-shift);
	}
	return carry >> (64-shift);
}
#endif /* !lbnRshift_64 */

/*
 * Multiply two numbers of the given lengths.  prod and num2 may overlap,
 * provided that the low len1 bits of prod are free.  (This corresponds
 * nicely to the place the result is returned from lbnMontReduce_64.)
 *
 * TODO: Use Karatsuba multiply.  The overlap constraints may have
 * to get rewhacked.
 */
#ifndef lbnMul_64
void
lbnMul_64(BNWORD64 *prod, BNWORD64 const *num1, unsigned len1,
                          BNWORD64 const *num2, unsigned len2)
{
	/* Special case of zero */
	if (!len1 || !len2) {
		lbnZero_64(prod, len1+len2);
		return;
	}

	/* Multiply first word */
	lbnMulN1_64(prod, num1, len1, BIGLITTLE(*--num2,*num2++));

	/*
	 * Add in subsequent words, storing the most significant word,
	 * which is new each time.
	 */
	while (--len2) {
		BIGLITTLE(--prod,prod++);
		BIGLITTLE(*(prod-len1-1),*(prod+len1)) =
		    lbnMulAdd1_64(prod, num1, len1, BIGLITTLE(*--num2,*num2++));
	}
}
#endif /* !lbnMul_64 */

/*
 * lbnMulX_64 is a square multiply - both inputs are the same length.
 * It's normally just a macro wrapper around the general multiply,
 * but might be implementable in assembly more efficiently (such as
 * when product scanning).
 */
#ifndef lbnMulX_64
#if defined(BNWORD128) && PRODUCT_SCAN
/*
 * Test code to see whether product scanning is any faster.  It seems
 * to make the C code slower, so PRODUCT_SCAN is not defined.
 */
static void
lbnMulX_64(BNWORD64 *prod, BNWORD64 const *num1, BNWORD64 const *num2,
	unsigned len)
{
	BNWORD128 x, y;
	BNWORD64 const *p1, *p2;
	unsigned carry;
	unsigned i, j;

	/* Special case of zero */
	if (!len)
		return;

	x = (BNWORD128)BIGLITTLE(num1[-1] * num2[-1], num1[0] * num2[0]);
	BIGLITTLE(*--prod, *prod++) = (BNWORD64)x;
	x >>= 64;

	for (i = 1; i < len; i++) {
		carry = 0;
		p1 = num1;
		p2 = BIGLITTLE(num2-i-1,num2+i+1);
		for (j = 0; j <= i; j++) {
			BIG(y = (BNWORD128)*--p1 * *p2++;)
			LITTLE(y = (BNWORD128)*p1++ * *--p2;)
			x += y;
			carry += (x < y);
		}
		BIGLITTLE(*--prod,*prod++) = (BNWORD64)x;
		x = (x >> 64) | (BNWORD128)carry << 64;
	}
	for (i = 1; i < len; i++) {
		carry = 0;
		p1 = BIGLITTLE(num1-i,num1+i);
		p2 = BIGLITTLE(num2-len,num2+len);
		for (j = i; j < len; j++) {
			BIG(y = (BNWORD128)*--p1 * *p2++;)
			LITTLE(y = (BNWORD128)*p1++ * *--p2;)
			x += y;
			carry += (x < y);
		}
		BIGLITTLE(*--prod,*prod++) = (BNWORD64)x;
		x = (x >> 64) | (BNWORD128)carry << 64;
	}

	BIGLITTLE(*--prod,*prod) = (BNWORD64)x;
}
#else /* !defined(BNWORD128) || !PRODUCT_SCAN */
/* Default trivial macro definition */
#define lbnMulX_64(prod, num1, num2, len) lbnMul_64(prod, num1, len, num2, len)
#endif /* !defined(BNWORD128) || !PRODUCT_SCAN */
#endif /* !lbmMulX_64 */

#if !defined(lbnMontMul_64) && defined(BNWORD128) && PRODUCT_SCAN
/*
 * Test code for product-scanning multiply.  This seems to slow the C
 * code down rather than speed it up.
 * This does a multiply and Montgomery reduction together, using the
 * same loops.  The outer loop scans across the product, twice.
 * The first pass computes the low half of the product and the
 * Montgomery multipliers.  These are stored in the product array,
 * which contains no data as of yet.  x and carry add up the columns
 * and propagate carries forward.
 *
 * The second half multiplies the upper half, adding in the modulus
 * times the Montgomery multipliers.  The results of this multiply
 * are stored.
 */
static void
lbnMontMul_64(BNWORD64 *prod, BNWORD64 const *num1, BNWORD64 const *num2,
	BNWORD64 const *mod, unsigned len, BNWORD64 inv)
{
	BNWORD128 x, y;
	BNWORD64 const *p1, *p2, *pm;
	BNWORD64 *pp;
	BNWORD64 t;
	unsigned carry;
	unsigned i, j;

	/* Special case of zero */
	if (!len)
		return;

	/*
	 * This computes directly into the high half of prod, so just
	 * shift the pointer and consider prod only "len" elements long
	 * for the rest of the code.
	 */
	BIGLITTLE(prod -= len, prod += len);

	/* Pass 1 - compute Montgomery multipliers */
	/* First iteration can have certain simplifications. */
	x = (BNWORD128)BIGLITTLE(num1[-1] * num2[-1], num1[0] * num2[0]);
	BIGLITTLE(prod[-1], prod[0]) = t = inv * (BNWORD64)x;
	y = (BNWORD128)t * BIGLITTLE(mod[-1],mod[0]);
	x += y;
	/* Note: GCC 2.6.3 has a bug if you try to eliminate "carry" */
	carry = (x < y);
	assert((BNWORD64)x == 0);
	x = x >> 64 | (BNWORD128)carry << 64;

	for (i = 1; i < len; i++) {
		carry = 0;
		p1 = num1;
		p2 = BIGLITTLE(num2-i-1,num2+i+1);
		pp = prod;
		pm = BIGLITTLE(mod-i-1,mod+i+1);
		for (j = 0; j < i; j++) {
			y = (BNWORD128)BIGLITTLE(*--p1 * *p2++, *p1++ * *--p2);
			x += y;
			carry += (x < y);
			y = (BNWORD128)BIGLITTLE(*--pp * *pm++, *pp++ * *--pm);
			x += y;
			carry += (x < y);
		}
		y = (BNWORD128)BIGLITTLE(p1[-1] * p2[0], p1[0] * p2[-1]);
		x += y;
		carry += (x < y);
		assert(BIGLITTLE(pp == prod-i, pp == prod+i));
		BIGLITTLE(pp[-1], pp[0]) = t = inv * (BNWORD64)x;
		assert(BIGLITTLE(pm == mod-1, pm == mod+1));
		y = (BNWORD128)t * BIGLITTLE(pm[0],pm[-1]);
		x += y;
		carry += (x < y);
		assert((BNWORD64)x == 0);
		x = x >> 64 | (BNWORD128)carry << 64;
	}

	/* Pass 2 - compute reduced product and store */
	for (i = 1; i < len; i++) {
		carry = 0;
		p1 = BIGLITTLE(num1-i,num1+i);
		p2 = BIGLITTLE(num2-len,num2+len);
		pm = BIGLITTLE(mod-i,mod+i);
		pp = BIGLITTLE(prod-len,prod+len);
		for (j = i; j < len; j++) {
			y = (BNWORD128)BIGLITTLE(*--p1 * *p2++, *p1++ * *--p2);
			x += y;
			carry += (x < y);
			y = (BNWORD128)BIGLITTLE(*--pm * *pp++, *pm++ * *--pp);
			x += y;
			carry += (x < y);
		}
		assert(BIGLITTLE(pm == mod-len, pm == mod+len));
		assert(BIGLITTLE(pp == prod-i, pp == prod+i));
		BIGLITTLE(pp[0],pp[-1]) = (BNWORD64)x;
		x = (x >> 64) | (BNWORD128)carry << 64;
	}

	/* Last round of second half, simplified. */
	BIGLITTLE(*(prod-len),*(prod+len-1)) = (BNWORD64)x;
	carry = (x >> 64);

	while (carry)
		carry -= lbnSubN_64(prod, mod, len);
	while (lbnCmp_64(prod, mod, len) >= 0)
		(void)lbnSubN_64(prod, mod, len);
}
/* Suppress later definition */
#define lbnMontMul_64 lbnMontMul_64
#endif

#if !defined(lbnSquare_64) && defined(BNWORD128) && PRODUCT_SCAN
/*
 * Trial code for product-scanning squaring.  This seems to slow the C
 * code down rather than speed it up.
 */
void
lbnSquare_64(BNWORD64 *prod, BNWORD64 const *num, unsigned len)
{
	BNWORD128 x, y, z;
	BNWORD64 const *p1, *p2;
	unsigned carry;
	unsigned i, j;

	/* Special case of zero */
	if (!len)
		return;

	/* Word 0 of product */
	x = (BNWORD128)BIGLITTLE(num[-1] * num[-1], num[0] * num[0]);
	BIGLITTLE(*--prod, *prod++) = (BNWORD64)x;
	x >>= 64;

	/* Words 1 through len-1 */
	for (i = 1; i < len; i++) {
		carry = 0;
		y = 0;
		p1 = num;
		p2 = BIGLITTLE(num-i-1,num+i+1);
		for (j = 0; j < (i+1)/2; j++) {
			BIG(z = (BNWORD128)*--p1 * *p2++;)
			LITTLE(z = (BNWORD128)*p1++ * *--p2;)
			y += z;
			carry += (y < z);
		}
		y += z = y;
		carry += carry + (y < z);
		if ((i & 1) == 0) {
			assert(BIGLITTLE(--p1 == p2, p1 == --p2));
			BIG(z = (BNWORD128)*p2 * *p2;)
			LITTLE(z = (BNWORD128)*p1 * *p1;)
			y += z;
			carry += (y < z);
		}
		x += y;
		carry += (x < y);
		BIGLITTLE(*--prod,*prod++) = (BNWORD64)x;
		x = (x >> 64) | (BNWORD128)carry << 64;
	}
	/* Words len through 2*len-2 */
	for (i = 1; i < len; i++) {
		carry = 0;
		y = 0;
		p1 = BIGLITTLE(num-i,num+i);
		p2 = BIGLITTLE(num-len,num+len);
		for (j = 0; j < (len-i)/2; j++) {
			BIG(z = (BNWORD128)*--p1 * *p2++;)
			LITTLE(z = (BNWORD128)*p1++ * *--p2;)
			y += z;
			carry += (y < z);
		}
		y += z = y;
		carry += carry + (y < z);
		if ((len-i) & 1) {
			assert(BIGLITTLE(--p1 == p2, p1 == --p2));
			BIG(z = (BNWORD128)*p2 * *p2;)
			LITTLE(z = (BNWORD128)*p1 * *p1;)
			y += z;
			carry += (y < z);
		}
		x += y;
		carry += (x < y);
		BIGLITTLE(*--prod,*prod++) = (BNWORD64)x;
		x = (x >> 64) | (BNWORD128)carry << 64;
	}

	/* Word 2*len-1 */
	BIGLITTLE(*--prod,*prod) = (BNWORD64)x;
}
/* Suppress later definition */
#define lbnSquare_64 lbnSquare_64
#endif

/*
 * Square a number, using optimized squaring to reduce the number of
 * primitive multiples that are executed.  There may not be any
 * overlap of the input and output.
 *
 * Technique: Consider the partial products in the multiplication
 * of "abcde" by itself:
 *
 *               a  b  c  d  e
 *            *  a  b  c  d  e
 *          ==================
 *              ae be ce de ee
 *           ad bd cd dd de
 *        ac bc cc cd ce
 *     ab bb bc bd be
 *  aa ab ac ad ae
 *
 * Note that everything above the main diagonal:
 *              ae be ce de = (abcd) * e
 *           ad bd cd       = (abc) * d
 *        ac bc             = (ab) * c
 *     ab                   = (a) * b
 *
 * is a copy of everything below the main diagonal:
 *                       de
 *                 cd ce
 *           bc bd be
 *     ab ac ad ae
 *
 * Thus, the sum is 2 * (off the diagonal) + diagonal.
 *
 * This is accumulated beginning with the diagonal (which
 * consist of the squares of the digits of the input), which is then
 * divided by two, the off-diagonal added, and multiplied by two
 * again.  The low bit is simply a copy of the low bit of the
 * input, so it doesn't need special care.
 *
 * TODO: Merge the shift by 1 with the squaring loop.
 * TODO: Use Karatsuba.  (a*W+b)^2 = a^2 * (W^2+W) + b^2 * (W+1) - (a-b)^2 * W.
 */
#ifndef lbnSquare_64
void
lbnSquare_64(BNWORD64 *prod, BNWORD64 const *num, unsigned len)
{
	BNWORD64 t;
	BNWORD64 *prodx = prod;		/* Working copy of the argument */
	BNWORD64 const *numx = num;	/* Working copy of the argument */
	unsigned lenx = len;		/* Working copy of the argument */

	if (!len)
		return;

	/* First, store all the squares */
	while (lenx--) {
#ifdef mul64_ppmm
		BNWORD64 ph, pl;
		t = BIGLITTLE(*--numx,*numx++);
		mul64_ppmm(ph,pl,t,t);
		BIGLITTLE(*--prodx,*prodx++) = pl;
		BIGLITTLE(*--prodx,*prodx++) = ph;
#elif defined(BNWORD128) /* use BNWORD128 */
		BNWORD128 p;
		t = BIGLITTLE(*--numx,*numx++);
		p = (BNWORD128)t * t;
		BIGLITTLE(*--prodx,*prodx++) = (BNWORD64)p;
		BIGLITTLE(*--prodx,*prodx++) = (BNWORD64)(p>>64);
#else	/* Use lbnMulN1_64 */
		t = BIGLITTLE(numx[-1],*numx);
		lbnMulN1_64(prodx, numx, 1, t);
		BIGLITTLE(--numx,numx++);
		BIGLITTLE(prodx -= 2, prodx += 2);
#endif
	}
	/* Then, shift right 1 bit */
	(void)lbnRshift_64(prod, 2*len, 1);

	/* Then, add in the off-diagonal sums */
	lenx = len;
	numx = num;
	prodx = prod;
	while (--lenx) {
		t = BIGLITTLE(*--numx,*numx++);
		BIGLITTLE(--prodx,prodx++);
		t = lbnMulAdd1_64(prodx, numx, lenx, t);
		lbnAdd1_64(BIGLITTLE(prodx-lenx,prodx+lenx), lenx+1, t);
		BIGLITTLE(--prodx,prodx++);
	}

	/* Shift it back up */
	lbnDouble_64(prod, 2*len);

	/* And set the low bit appropriately */
	BIGLITTLE(prod[-1],prod[0]) |= BIGLITTLE(num[-1],num[0]) & 1;
}
#endif /* !lbnSquare_64 */

/*
 * lbnNorm_64 - given a number, return a modified length such that the
 * most significant digit is non-zero.  Zero-length input is okay.
 */
#ifndef lbnNorm_64
unsigned
lbnNorm_64(BNWORD64 const *num, unsigned len)
{
	BIGLITTLE(num -= len,num += len);
	while (len && BIGLITTLE(*num++,*--num) == 0)
		--len;
	return len;
}
#endif /* lbnNorm_64 */

/*
 * lbnBits_64 - return the number of significant bits in the array.
 * It starts by normalizing the array.  Zero-length input is okay.
 * Then assuming there's anything to it, it fetches the high word,
 * generates a bit length by multiplying the word length by 64, and
 * subtracts off 64/2, 64/4, 64/8, ... bits if the high bits are clear.
 */
#ifndef lbnBits_64
unsigned
lbnBits_64(BNWORD64 const *num, unsigned len)
{
	BNWORD64 t;
	unsigned i;

	len = lbnNorm_64(num, len);
	if (len) {
		t = BIGLITTLE(*(num-len),*(num+(len-1)));
		assert(t);
		len *= 64;
		i = 64/2;
		do {
			if (t >> i)
				t >>= i;
			else
				len -= i;
		} while ((i /= 2) != 0);
	}
	return len;
}
#endif /* lbnBits_64 */

/*
 * If defined, use hand-rolled divide rather than compiler's native.
 * If the machine doesn't do it in line, the manual code is probably
 * faster, since it can assume normalization and the fact that the
 * quotient will fit into 64 bits, which a general 128-bit divide
 * in a compiler's run-time library can't do.
 */
#ifndef BN_SLOW_DIVIDE_128
/* Assume that divisors of more than thirty-two bits are slow */
#define BN_SLOW_DIVIDE_128 (128 > 0x20)
#endif

/*
 * Return (nh<<64|nl) % d, and place the quotient digit into *q.
 * It is guaranteed that nh < d, and that d is normalized (with its high
 * bit set).  If we have a double-width type, it's easy.  If not, ooh,
 * yuk!
 */
#ifndef lbnDiv21_64
#if defined(BNWORD128) && !BN_SLOW_DIVIDE_128
BNWORD64
lbnDiv21_64(BNWORD64 *q, BNWORD64 nh, BNWORD64 nl, BNWORD64 d)
{
	BNWORD128 n = (BNWORD128)nh << 64 | nl;

	/* Divisor must be normalized */
	assert(d >> (64-1) == 1);

	*q = n / d;
	return n % d;
}
#else
/*
 * This is where it gets ugly.
 *
 * Do the division in two halves, using Algorithm D from section 4.3.1
 * of Knuth.  Note Theorem B from that section, that the quotient estimate
 * is never more than the true quotient, and is never more than two
 * too low.
 *
 * The mapping onto conventional long division is (everything a half word):
 *        _____________qh___ql_
 * dh dl ) nh.h nh.l nl.h nl.l
 *             - (qh * d)
 *            -----------
 *              rrrr rrrr nl.l
 *                  - (ql * d)
 *                -----------
 *                  rrrr rrrr
 *
 * The implicit 3/2-digit d*qh and d*ql subtractors are computed this way:
 *   First, estimate a q digit so that nh/dh works.  Subtracting qh*dh from
 *   the (nh.h nh.l) list leaves a 1/2-word remainder r.  Then compute the
 *   low part of the subtractor, qh * dl.   This also needs to be subtracted
 *   from (nh.h nh.l nl.h) to get the final remainder.  So we take the
 *   remainder, which is (nh.h nh.l) - qh*dl, shift it and add in nl.h, and
 *   try to subtract qh * dl from that.  Since the remainder is 1/2-word
 *   long, shifting and adding nl.h results in a single word r.
 *   It is possible that the remainder we're working with, r, is less than
 *   the product qh * dl, if we estimated qh too high.  The estimation
 *   technique can produce a qh that is too large (never too small), leading
 *   to r which is too small.  In that case, decrement the digit qh, add
 *   shifted dh to r (to correct for that error), and subtract dl from the
 *   product we're comparing r with.  That's the "correct" way to do it, but
 *   just adding dl to r instead of subtracting it from the product is
 *   equivalent and a lot simpler.  You just have to watch out for overflow.
 *
 *   The process is repeated with (rrrr rrrr nl.l) for the low digit of the
 *   quotient ql.
 *
 * The various uses of 64/2 for shifts are because of the note about
 * automatic editing of this file at the very top of the file.
 */
#define highhalf(x) ( (x) >> 64/2 )
#define lowhalf(x) ( (x) & (((BNWORD64)1 << 64/2)-1) )
BNWORD64
lbnDiv21_64(BNWORD64 *q, BNWORD64 nh, BNWORD64 nl, BNWORD64 d)
{
	BNWORD64 dh = highhalf(d), dl = lowhalf(d);
	BNWORD64 qh, ql, prod, r;

	/* Divisor must be normalized */
	assert((d >> (64-1)) == 1);

	/* Do first half-word of division */
	qh = nh / dh;
	r = nh % dh;
	prod = qh * dl;

	/*
	 * Add next half-word of numerator to remainder and correct.
	 * qh may be up to two too large.
	 */
	r = (r << (64/2)) | highhalf(nl);
	if (r < prod) {
		--qh; r += d;
		if (r >= d && r < prod) {
			--qh; r += d;
		}
	}
	r -= prod;

	/* Do second half-word of division */
	ql = r / dh;
	r = r % dh;
	prod = ql * dl;

	r = (r << (64/2)) | lowhalf(nl);
	if (r < prod) {
		--ql; r += d;
		if (r >= d && r < prod) {
			--ql; r += d;
		}
	}
	r -= prod;

	*q = (qh << (64/2)) | ql;

	return r;
}
#endif
#endif /* lbnDiv21_64 */


/*
 * In the division functions, the dividend and divisor are referred to
 * as "n" and "d", which stand for "numerator" and "denominator".
 *
 * The quotient is (nlen-dlen+1) digits long.  It may be overlapped with
 * the high (nlen-dlen) words of the dividend, but one extra word is needed
 * on top to hold the top word.
 */

/*
 * Divide an n-word number by a 1-word number, storing the remainder
 * and n-1 words of the n-word quotient.  The high word is returned.
 * It IS legal for rem to point to the same address as n, and for
 * q to point one word higher.
 *
 * TODO: If BN_SLOW_DIVIDE_128, add a divnhalf_64 which uses 64-bit
 *       dividends if the divisor is half that long.
 * TODO: Shift the dividend on the fly to avoid the last division and
 *       instead have a remainder that needs shifting.
 * TODO: Use reciprocals rather than dividing.
 */
#ifndef lbnDiv1_64
BNWORD64
lbnDiv1_64(BNWORD64 *q, BNWORD64 *rem, BNWORD64 const *n, unsigned len,
	BNWORD64 d)
{
	unsigned shift;
	unsigned xlen;
	BNWORD64 r;
	BNWORD64 qhigh;

	assert(len > 0);
	assert(d);

	if (len == 1) {
		r = *n;
		*rem = r%d;
		return r/d;
	}

	shift = 0;
	r = d;
	xlen = 64/2;
	do {
		if (r >> xlen)
			r >>= xlen;
		else
			shift += xlen;
	} while ((xlen /= 2) != 0);
	assert((d >> (64-1-shift)) == 1);
	d <<= shift;

	BIGLITTLE(q -= len-1,q += len-1);
	BIGLITTLE(n -= len,n += len);

	r = BIGLITTLE(*n++,*--n);
	if (r < d) {
		qhigh = 0;
	} else {
		qhigh = r/d;
		r %= d;
	}

	xlen = len;
	while (--xlen)
		r = lbnDiv21_64(BIGLITTLE(q++,--q), r, BIGLITTLE(*n++,*--n), d);

	/*
	 * Final correction for shift - shift the quotient up "shift"
	 * bits, and merge in the extra bits of quotient.  Then reduce
	 * the final remainder mod the real d.
	 */
	if (shift) {
		d >>= shift;
		qhigh = (qhigh << shift) | lbnLshift_64(q, len-1, shift);
		BIGLITTLE(q[-1],*q) |= r/d;
		r %= d;
	}
	*rem = r;

	return qhigh;
}
#endif

/*
 * This function performs a "quick" modulus of a number with a divisor
 * d which is guaranteed to be at most sixteen bits, i.e. less than 65536.
 * This applies regardless of the word size the library is compiled with.
 *
 * This function is important to prime generation, for sieving.
 */
#ifndef lbnModQ_64
/* If there's a custom lbnMod21_64, no normalization needed */
#ifdef lbnMod21_64
unsigned
lbnModQ_64(BNWORD64 const *n, unsigned len, unsigned d)
{
	unsigned i, shift;
	BNWORD64 r;

	assert(len > 0);

	BIGLITTLE(n -= len,n += len);

	/* Try using a compare to avoid the first divide */
	r = BIGLITTLE(*n++,*--n);
	if (r >= d)
		r %= d;
	while (--len)
		r = lbnMod21_64(r, BIGLITTLE(*n++,*--n), d);

	return r;
}
#elif defined(BNWORD128) && !BN_SLOW_DIVIDE_128
unsigned
lbnModQ_64(BNWORD64 const *n, unsigned len, unsigned d)
{
	BNWORD64 r;

	if (!--len)
		return BIGLITTLE(n[-1],n[0]) % d;

	BIGLITTLE(n -= len,n += len);
	r = BIGLITTLE(n[-1],n[0]);

	do {
		r = (BNWORD64)((((BNWORD128)r<<64) | BIGLITTLE(*n++,*--n)) % d);
	} while (--len);

	return r;
}
#elif 64 >= 0x20
/*
 * If the single word size can hold 65535*65536, then this function
 * is avilable.
 */
#ifndef highhalf
#define highhalf(x) ( (x) >> 64/2 )
#define lowhalf(x) ( (x) & ((1 << 64/2)-1) )
#endif
unsigned
lbnModQ_64(BNWORD64 const *n, unsigned len, unsigned d)
{
	BNWORD64 r, x;

	BIGLITTLE(n -= len,n += len);

	r = BIGLITTLE(*n++,*--n);
	while (--len) {
		x = BIGLITTLE(*n++,*--n);
		r = (r%d << 64/2) | highhalf(x);
		r = (r%d << 64/2) | lowhalf(x);
	}

	return r%d;
}
#else
/* Default case - use lbnDiv21_64 */
unsigned
lbnModQ_64(BNWORD64 const *n, unsigned len, unsigned d)
{
	unsigned i, shift;
	BNWORD64 r;
	BNWORD64 q;

	assert(len > 0);

	shift = 0;
	r = d;
	i = 64;
	while (i /= 2) {
		if (r >> i)
			r >>= i;
		else
			shift += i;
	}
	assert(d >> (64-1-shift) == 1);
	d <<= shift;

	BIGLITTLE(n -= len,n += len);

	r = BIGLITTLE(*n++,*--n);
	if (r >= d)
		r %= d;

	while (--len)
		r = lbnDiv21_64(&q, r, BIGLITTLE(*n++,*--n), d);

	/*
	 * Final correction for shift - shift the quotient up "shift"
	 * bits, and merge in the extra bits of quotient.  Then reduce
	 * the final remainder mod the real d.
	 */
	if (shift)
		r %= d >> shift;

	return r;
}
#endif
#endif /* lbnModQ_64 */

/*
 * Reduce n mod d and return the quotient.  That is, find:
 * q = n / d;
 * n = n % d;
 * d is altered during the execution of this subroutine by normalizing it.
 * It must already have its most significant word non-zero; it is shifted
 * so its most significant bit is non-zero.
 *
 * The quotient q is nlen-dlen+1 words long.  To make it possible to
 * overlap the quptient with the input (you can store it in the high dlen
 * words), the high word of the quotient is *not* stored, but is returned.
 * (If all you want is the remainder, you don't care about it, anyway.)
 *
 * This uses algorithm D from Knuth (4.3.1), except that we do binary
 * (shift) normalization of the divisor.  WARNING: This is hairy!
 *
 * This function is used for some modular reduction, but it is not used in
 * the modular exponentiation loops; they use Montgomery form and the
 * corresponding, more efficient, Montgomery reduction.  This code
 * is needed for the conversion to Montgomery form, however, so it
 * has to be here and it might as well be reasonably efficient.
 *
 * The overall operation is as follows ("top" and "up" refer to the
 * most significant end of the number; "bottom" and "down", the least):
 *
 * - Shift the divisor up until the most significant bit is set.
 * - Shift the dividend up the same amount.  This will produce the
 *   correct quotient, and the remainder can be recovered by shifting
 *   it back down the same number of bits.  This may produce an overflow
 *   word, but the word is always strictly less than the most significant
 *   divisor word.
 * - Estimate the first quotient digit qhat:
 *   - First take the top two words (one of which is the overflow) of the
 *     dividend and divide by the top word of the divisor:
 *     qhat = (nh,nm)/dh.  This qhat is >= the correct quotient digit
 *     and, since dh is normalized, it is at most two over.
 *   - Second, correct by comparing the top three words.  If
 *     (dh,dl) * qhat > (nh,nm,ml), decrease qhat and try again.
 *     The second iteration can be simpler because there can't be a third.
 *     The computation can be simplified by subtracting dh*qhat from
 *     both sides, suitably shifted.  This reduces the left side to
 *     dl*qhat.  On the right, (nh,nm)-dh*qhat is simply the
 *     remainder r from (nh,nm)%dh, so the right is (r,nl).
 *     This produces qhat that is almost always correct and at
 *     most (prob ~ 2/2^64) one too high.
 * - Subtract qhat times the divisor (suitably shifted) from the dividend.
 *   If there is a borrow, qhat was wrong, so decrement it
 *   and add the divisor back in (once).
 * - Store the final quotient digit qhat in the quotient array q.
 *
 * Repeat the quotient digit computation for successive digits of the
 * quotient until the whole quotient has been computed.  Then shift the
 * divisor and the remainder down to correct for the normalization.
 *
 * TODO: Special case 2-word divisors.
 * TODO: Use reciprocals rather than dividing.
 */
#ifndef divn_64
BNWORD64
lbnDiv_64(BNWORD64 *q, BNWORD64 *n, unsigned nlen, BNWORD64 *d, unsigned dlen)
{
	BNWORD64 nh,nm,nl;	/* Top three words of the dividend */
	BNWORD64 dh,dl;	/* Top two words of the divisor */
	BNWORD64 qhat;	/* Extimate of quotient word */
	BNWORD64 r;	/* Remainder from quotient estimate division */
	BNWORD64 qhigh;	/* High word of quotient */
	unsigned i;	/* Temp */
	unsigned shift;	/* Bits shifted by normalization */
	unsigned qlen = nlen-dlen; /* Size of quotient (less 1) */
#ifdef mul64_ppmm
	BNWORD64 t64;
#elif defined(BNWORD128)
	BNWORD128 t128;
#else /* use lbnMulN1_64 */
	BNWORD64 t2[2];
#define t2high BIGLITTLE(t2[0],t2[1])
#define t2low BIGLITTLE(t2[1],t2[0])
#endif

	assert(dlen);
	assert(nlen >= dlen);

	/*
	 * Special cases for short divisors.  The general case uses the
	 * top top 2 digits of the divisor (d) to estimate a quotient digit,
	 * so it breaks if there are fewer digits available.  Thus, we need
	 * special cases for a divisor of length 1.  A divisor of length
	 * 2 can have a *lot* of administrivia overhead removed removed,
	 * so it's probably worth special-casing that case, too.
	 */
	if (dlen == 1)
		return lbnDiv1_64(q, BIGLITTLE(n-1,n), n, nlen,
		                  BIGLITTLE(d[-1],d[0]));

#if 0
	/*
	 * @@@ This is not yet written...  The general loop will do,
	 * albeit less efficiently
	 */
	if (dlen == 2) {
		/*
		 * divisor two digits long:
		 * use the 3/2 technique from Knuth, but we know
		 * it's exact.
		 */
		dh = BIGLITTLE(d[-1],d[0]);
		dl = BIGLITTLE(d[-2],d[1]);
		shift = 0;
		if ((sh & ((BNWORD64)1 << 64-1-shift)) == 0) {
			do {
				shift++;
			} while (dh & (BNWORD64)1<<64-1-shift) == 0);
			dh = dh << shift | dl >> (64-shift);
			dl <<= shift;


		}


		for (shift = 0; (dh & (BNWORD64)1 << 64-1-shift)) == 0; shift++)
			;
		if (shift) {
		}
		dh = dh << shift | dl >> (64-shift);
		shift = 0;
		while (dh
	}
#endif

	dh = BIGLITTLE(*(d-dlen),*(d+(dlen-1)));
	assert(dh);

	/* Normalize the divisor */
	shift = 0;
	r = dh;
	i = 64/2;
	do {
		if (r >> i)
			r >>= i;
		else
			shift += i;
	} while ((i /= 2) != 0);

	nh = 0;
	if (shift) {
		lbnLshift_64(d, dlen, shift);
		dh = BIGLITTLE(*(d-dlen),*(d+(dlen-1)));
		nh = lbnLshift_64(n, nlen, shift);
	}

	/* Assert that dh is now normalized */
	assert(dh >> (64-1));

	/* Also get the second-most significant word of the divisor */
	dl = BIGLITTLE(*(d-(dlen-1)),*(d+(dlen-2)));

	/*
	 * Adjust pointers: n to point to least significant end of first
	 * first subtract, and q to one the most-significant end of the
	 * quotient array.
	 */
	BIGLITTLE(n -= qlen,n += qlen);
	BIGLITTLE(q -= qlen,q += qlen);

	/* Fetch the most significant stored word of the dividend */
	nm = BIGLITTLE(*(n-dlen),*(n+(dlen-1)));

	/*
	 * Compute the first digit of the quotient, based on the
	 * first two words of the dividend (the most significant of which
	 * is the overflow word h).
	 */
	if (nh) {
		assert(nh < dh);
		r = lbnDiv21_64(&qhat, nh, nm, dh);
	} else if (nm >= dh) {
		qhat = nm/dh;
		r = nm % dh;
	} else {	/* Quotient is zero */
		qhigh = 0;
		goto divloop;
	}

	/* Now get the third most significant word of the dividend */
	nl = BIGLITTLE(*(n-(dlen-1)),*(n+(dlen-2)));

	/*
	 * Correct qhat, the estimate of quotient digit.
	 * qhat can only be high, and at most two words high,
	 * so the loop can be unrolled and abbreviated.
	 */
#ifdef mul64_ppmm
	mul64_ppmm(nm, t64, qhat, dl);
	if (nm > r || (nm == r && t64 > nl)) {
		/* Decrement qhat and adjust comparison parameters */
		qhat--;
		if ((r += dh) >= dh) {
			nm -= (t64 < dl);
			t64 -= dl;
			if (nm > r || (nm == r && t64 > nl))
				qhat--;
		}
	}
#elif defined(BNWORD128)
	t128 = (BNWORD128)qhat * dl;
	if (t128 > ((BNWORD128)r << 64) + nl) {
		/* Decrement qhat and adjust comparison parameters */
		qhat--;
		if ((r += dh) > dh) {
			t128 -= dl;
			if (t128 > ((BNWORD128)r << 64) + nl)
				qhat--;
		}
	}
#else /* Use lbnMulN1_64 */
	lbnMulN1_64(BIGLITTLE(t2+2,t2), &dl, 1, qhat);
	if (t2high > r || (t2high == r && t2low > nl)) {
		/* Decrement qhat and adjust comparison parameters */
		qhat--;
		if ((r += dh) >= dh) {
			t2high -= (t2low < dl);
			t2low -= dl;
			if (t2high > r || (t2high == r && t2low > nl))
				qhat--;
		}
	}
#endif

	/* Do the multiply and subtract */
	r = lbnMulSub1_64(n, d, dlen, qhat);
	/* If there was a borrow, add back once. */
	if (r > nh) {	/* Borrow? */
		(void)lbnAddN_64(n, d, dlen);
		qhat--;
	}

	/* Remember the first quotient digit. */
	qhigh = qhat;

	/* Now, the main division loop: */
divloop:
	while (qlen--) {

		/* Advance n */
		nh = BIGLITTLE(*(n-dlen),*(n+(dlen-1)));
		BIGLITTLE(++n,--n);
		nm = BIGLITTLE(*(n-dlen),*(n+(dlen-1)));

		if (nh == dh) {
			qhat = ~(BNWORD64)0;
			/* Optimized computation of r = (nh,nm) - qhat * dh */
			r = nh + nm;
			if (r < nh)
				goto subtract;
		} else {
			assert(nh < dh);
			r = lbnDiv21_64(&qhat, nh, nm, dh);
		}

		nl = BIGLITTLE(*(n-(dlen-1)),*(n+(dlen-2)));
#ifdef mul64_ppmm
		mul64_ppmm(nm, t64, qhat, dl);
		if (nm > r || (nm == r && t64 > nl)) {
			/* Decrement qhat and adjust comparison parameters */
			qhat--;
			if ((r += dh) >= dh) {
				nm -= (t64 < dl);
				t64 -= dl;
				if (nm > r || (nm == r && t64 > nl))
					qhat--;
			}
		}
#elif defined(BNWORD128)
		t128 = (BNWORD128)qhat * dl;
		if (t128 > ((BNWORD128)r<<64) + nl) {
			/* Decrement qhat and adjust comparison parameters */
			qhat--;
			if ((r += dh) >= dh) {
				t128 -= dl;
				if (t128 > ((BNWORD128)r << 64) + nl)
					qhat--;
			}
		}
#else /* Use lbnMulN1_64 */
		lbnMulN1_64(BIGLITTLE(t2+2,t2), &dl, 1, qhat);
		if (t2high > r || (t2high == r && t2low > nl)) {
			/* Decrement qhat and adjust comparison parameters */
			qhat--;
			if ((r += dh) >= dh) {
				t2high -= (t2low < dl);
				t2low -= dl;
				if (t2high > r || (t2high == r && t2low > nl))
					qhat--;
			}
		}
#endif

		/*
		 * As a point of interest, note that it is not worth checking
		 * for qhat of 0 or 1 and installing special-case code.  These
		 * occur with probability 2^-64, so spending 1 cycle to check
		 * for them is only worth it if we save more than 2^15 cycles,
		 * and a multiply-and-subtract for numbers in the 1024-bit
		 * range just doesn't take that long.
		 */
subtract:
		/*
		 * n points to the least significant end of the substring
		 * of n to be subtracted from.  qhat is either exact or
		 * one too large.  If the subtract gets a borrow, it was
		 * one too large and the divisor is added back in.  It's
		 * a dlen+1 word add which is guaranteed to produce a
		 * carry out, so it can be done very simply.
		 */
		r = lbnMulSub1_64(n, d, dlen, qhat);
		if (r > nh) {	/* Borrow? */
			(void)lbnAddN_64(n, d, dlen);
			qhat--;
		}
		/* Store the quotient digit */
		BIGLITTLE(*q++,*--q) = qhat;
	}
	/* Tah dah! */

	if (shift) {
		lbnRshift_64(d, dlen, shift);
		lbnRshift_64(n, dlen, shift);
	}

	return qhigh;
}
#endif

/*
 * Find the negative multiplicative inverse of x (x must be odd!) modulo 2^64.
 *
 * This just performs Newton's iteration until it gets the
 * inverse.  The initial estimate is always correct to 3 bits, and
 * sometimes 4.  The number of valid bits doubles each iteration.
 * (To prove it, assume x * y == 1 (mod 2^n), and introduce a variable
 * for the error mod 2^2n.  x * y == 1 + k*2^n (mod 2^2n) and follow
 * the iteration through.)
 */
#ifndef lbnMontInv1_64
BNWORD64
lbnMontInv1_64(BNWORD64 const x)
{
        BNWORD64 y = x, z;

	assert(x & 1);

        while ((z = x*y) != 1)
                y *= 2 - z;
        return -y;
}
#endif /* !lbnMontInv1_64 */

#if defined(BNWORD128) && PRODUCT_SCAN
/*
 * Test code for product-scanning Montgomery reduction.
 * This seems to slow the C code down rather than speed it up.
 *
 * The first loop computes the Montgomery multipliers, storing them over
 * the low half of the number n.
 *
 * The second half multiplies the upper half, adding in the modulus
 * times the Montgomery multipliers.  The results of this multiply
 * are stored.
 */
void
lbnMontReduce_64(BNWORD64 *n, BNWORD64 const *mod, unsigned mlen, BNWORD64 inv)
{
	BNWORD128 x, y;
	BNWORD64 const *pm;
	BNWORD64 *pn;
	BNWORD64 t;
	unsigned carry;
	unsigned i, j;

	/* Special case of zero */
	if (!mlen)
		return;

	/* Pass 1 - compute Montgomery multipliers */
	/* First iteration can have certain simplifications. */
	t = BIGLITTLE(n[-1],n[0]);
	x = t;
	t *= inv;
	BIGLITTLE(n[-1], n[0]) = t;
	x += (BNWORD128)t * BIGLITTLE(mod[-1],mod[0]); /* Can't overflow */
	assert((BNWORD64)x == 0);
	x = x >> 64;

	for (i = 1; i < mlen; i++) {
		carry = 0;
		pn = n;
		pm = BIGLITTLE(mod-i-1,mod+i+1);
		for (j = 0; j < i; j++) {
			y = (BNWORD128)BIGLITTLE(*--pn * *pm++, *pn++ * *--pm);
			x += y;
			carry += (x < y);
		}
		assert(BIGLITTLE(pn == n-i, pn == n+i));
		y = t = BIGLITTLE(pn[-1], pn[0]);
		x += y;
		carry += (x < y);
		BIGLITTLE(pn[-1], pn[0]) = t = inv * (BNWORD64)x;
		assert(BIGLITTLE(pm == mod-1, pm == mod+1));
		y = (BNWORD128)t * BIGLITTLE(pm[0],pm[-1]);
		x += y;
		carry += (x < y);
		assert((BNWORD64)x == 0);
		x = x >> 64 | (BNWORD128)carry << 64;
	}

	BIGLITTLE(n -= mlen, n += mlen);

	/* Pass 2 - compute upper words and add to n */
	for (i = 1; i < mlen; i++) {
		carry = 0;
		pm = BIGLITTLE(mod-i,mod+i);
		pn = n;
		for (j = i; j < mlen; j++) {
			y = (BNWORD128)BIGLITTLE(*--pm * *pn++, *pm++ * *--pn);
			x += y;
			carry += (x < y);
		}
		assert(BIGLITTLE(pm == mod-mlen, pm == mod+mlen));
		assert(BIGLITTLE(pn == n+mlen-i, pn == n-mlen+i));
		y = t = BIGLITTLE(*(n-i),*(n+i-1));
		x += y;
		carry += (x < y);
		BIGLITTLE(*(n-i),*(n+i-1)) = (BNWORD64)x;
		x = (x >> 64) | (BNWORD128)carry << 64;
	}

	/* Last round of second half, simplified. */
	t = BIGLITTLE(*(n-mlen),*(n+mlen-1));
	x += t;
	BIGLITTLE(*(n-mlen),*(n+mlen-1)) = (BNWORD64)x;
	carry = (unsigned)(x >> 64);

	while (carry)
		carry -= lbnSubN_64(n, mod, mlen);
	while (lbnCmp_64(n, mod, mlen) >= 0)
		(void)lbnSubN_64(n, mod, mlen);
}
#define lbnMontReduce_64 lbnMontReduce_64
#endif

/*
 * Montgomery reduce n, modulo mod.  This reduces modulo mod and divides by
 * 2^(64*mlen).  Returns the result in the *top* mlen words of the argument n.
 * This is ready for another multiplication using lbnMul_64.
 *
 * Montgomery representation is a very useful way to encode numbers when
 * you're doing lots of modular reduction.  What you do is pick a multiplier
 * R which is relatively prime to the modulus and very easy to divide by.
 * Since the modulus is odd, R is closen as a power of 2, so the division
 * is a shift.  In fact, it's a shift of an integral number of words,
 * so the shift can be implicit - just drop the low-order words.
 *
 * Now, choose R *larger* than the modulus m, 2^(64*mlen).  Then convert
 * all numbers a, b, etc. to Montgomery form M(a), M(b), etc using the
 * relationship M(a) = a*R mod m, M(b) = b*R mod m, etc.  Note that:
 * - The Montgomery form of a number depends on the modulus m.
 *   A fixed modulus m is assumed throughout this discussion.
 * - Since R is relaitvely prime to m, multiplication by R is invertible;
 *   no information about the numbers is lost, they're just scrambled.
 * - Adding (and subtracting) numbers in this form works just as usual.
 *   M(a+b) = (a+b)*R mod m = (a*R + b*R) mod m = (M(a) + M(b)) mod m
 * - Multiplying numbers in this form produces a*b*R*R.  The problem
 *   is to divide out the excess factor of R, modulo m as well as to
 *   reduce to the given length mlen.  It turns out that this can be
 *   done *faster* than a normal divide, which is where the speedup
 *   in Montgomery division comes from.
 *
 * Normal reduction chooses a most-significant quotient digit q and then
 * subtracts q*m from the number to be reduced.  Choosing q is tricky
 * and involved (just look at lbnDiv_64 to see!) and is usually
 * imperfect, requiring a check for correction after the subtraction.
 *
 * Montgomery reduction *adds* a multiple of m to the *low-order* part
 * of the number to be reduced.  This multiple is chosen to make the
 * low-order part of the number come out to zero.  This can be done
 * with no trickery or error using a precomputed inverse of the modulus.
 * In this code, the "part" is one word, but any width can be used.
 *
 * Repeating this step sufficiently often results in a value which
 * is a multiple of R (a power of two, remember) but is still (since
 * the additions were to the low-order part and thus did not increase
 * the value of the number being reduced very much) still not much
 * larger than m*R.  Then implicitly divide by R and subtract off
 * m until the result is in the correct range.
 *
 * Since the low-order part being cancelled is less than R, the
 * multiple of m added must have a multiplier which is at most R-1.
 * Assuming that the input is at most m*R-1, the final number is
 * at most m*(2*R-1)-1 = 2*m*R - m - 1, so subtracting m once from
 * the high-order part, equivalent to subtracting m*R from the
 * while number, produces a result which is at most m*R - m - 1,
 * which divided by R is at most m-1.
 *
 * To convert *to* Montgomery form, you need a regular remainder
 * routine, although you can just compute R*R (mod m) and do the
 * conversion using Montgomery multiplication.  To convert *from*
 * Montgomery form, just Montgomery reduce the number to
 * remove the extra factor of R.
 *
 * TODO: Change to a full inverse and use Karatsuba's multiplication
 * rather than this word-at-a-time.
 */
#ifndef lbnMontReduce_64
void
lbnMontReduce_64(BNWORD64 *n, BNWORD64 const *mod, unsigned const mlen,
                BNWORD64 inv)
{
	BNWORD64 t;
	BNWORD64 c = 0;
	unsigned len = mlen;

	/* inv must be the negative inverse of mod's least significant word */
	assert((BNWORD64)(inv * BIGLITTLE(mod[-1],mod[0])) == (BNWORD64)-1);

	assert(len);

	do {
		t = lbnMulAdd1_64(n, mod, mlen, inv * BIGLITTLE(n[-1],n[0]));
		c += lbnAdd1_64(BIGLITTLE(n-mlen,n+mlen), len, t);
		BIGLITTLE(--n,++n);
	} while (--len);

	/*
	 * All that adding can cause an overflow past the modulus size,
	 * but it's unusual, and never by much, so a subtraction loop
	 * is the right way to deal with it.
	 * This subtraction happens infrequently - I've only ever seen it
	 * invoked once per reduction, and then just under 22.5% of the time.
	 */
	while (c)
		c -= lbnSubN_64(n, mod, mlen);
	while (lbnCmp_64(n, mod, mlen) >= 0)
		(void)lbnSubN_64(n, mod, mlen);
}
#endif /* !lbnMontReduce_64 */

/*
 * A couple of helpers that you might want to implement atomically
 * in asm sometime.
 */
#ifndef lbnMontMul_64
/*
 * Multiply "num1" by "num2", modulo "mod", all of length "len", and
 * place the result in the high half of "prod".  "inv" is the inverse
 * of the least-significant word of the modulus, modulo 2^64.
 * This uses numbers in Montgomery form.  Reduce using "len" and "inv".
 *
 * This is implemented as a macro to win on compilers that don't do
 * inlining, since it's so trivial.
 */
#define lbnMontMul_64(prod, n1, n2, mod, len, inv) \
	(lbnMulX_64(prod, n1, n2, len), lbnMontReduce_64(prod, mod, len, inv))
#endif /* !lbnMontMul_64 */

#ifndef lbnMontSquare_64
/*
 * Square "n", modulo "mod", both of length "len", and place the result
 * in the high half of "prod".  "inv" is the inverse of the least-significant
 * word of the modulus, modulo 2^64.
 * This uses numbers in Montgomery form.  Reduce using "len" and "inv".
 *
 * This is implemented as a macro to win on compilers that don't do
 * inlining, since it's so trivial.
 */
#define lbnMontSquare_64(prod, n, mod, len, inv) \
	(lbnSquare_64(prod, n, len), lbnMontReduce_64(prod, mod, len, inv))

#endif /* !lbnMontSquare_64 */

/*
 * Convert a number to Montgomery form - requires mlen + nlen words
 * of memory in "n".
 */
void
lbnToMont_64(BNWORD64 *n, unsigned nlen, BNWORD64 *mod, unsigned mlen)
{
	/* Move n up "mlen" words */
	lbnCopy_64(BIGLITTLE(n-mlen,n+mlen), n, nlen);
	lbnZero_64(n, mlen);
	/* Do the division - dump the quotient in the high-order words */
	(void)lbnDiv_64(BIGLITTLE(n-mlen,n+mlen), n, mlen+nlen, mod, mlen);
}

/*
 * Convert from Montgomery form.  Montgomery reduction is all that is
 * needed.
 */
void
lbnFromMont_64(BNWORD64 *n, BNWORD64 *mod, unsigned len)
{
	/* Zero the high words of n */
	lbnZero_64(BIGLITTLE(n-len,n+len), len);
	lbnMontReduce_64(n, mod, len, lbnMontInv1_64(mod[BIGLITTLE(-1,0)]));
	/* Move n down len words */
	lbnCopy_64(n, BIGLITTLE(n-len,n+len), len);
}

/*
 * The windowed exponentiation algorithm, precomputes a table of odd
 * powers of n up to 2^k.  See the comment in bnExpMod_64 below for
 * an explanation of how it actually works works.
 *
 * It takes 2^(k-1)-1 multiplies to compute the table, and (e-1)/(k+1)
 * multiplies (on average) to perform the exponentiation.  To minimize
 * the sum, k must vary with e.  The optimal window sizes vary with the
 * exponent length.  Here are some selected values and the boundary cases.
 * (An underscore _ has been inserted into some of the numbers to ensure
 * that magic strings like 64 do not appear in this table.  It should be
 * ignored.)
 *
 * At e =    1 bits, k=1   (0.000000) is best
 * At e =    2 bits, k=1   (0.500000) is best
 * At e =    4 bits, k=1   (1.500000) is best
 * At e =    8 bits, k=2   (3.333333) < k=1   (3.500000)
 * At e =  1_6 bits, k=2   (6.000000) is best
 * At e =   26 bits, k=3   (9.250000) < k=2   (9.333333)
 * At e =  3_2 bits, k=3  (10.750000) is best
 * At e =  6_4 bits, k=3  (18.750000) is best
 * At e =   82 bits, k=4  (23.200000) < k=3  (23.250000)
 * At e =  128 bits, k=4 (3_2.400000) is best
 * At e =  242 bits, k=5  (55.1_66667) < k=4 (55.200000)
 * At e =  256 bits, k=5  (57.500000) is best
 * At e =  512 bits, k=5 (100.1_66667) is best
 * At e =  674 bits, k=6 (127.142857) < k=5 (127.1_66667)
 * At e = 1024 bits, k=6 (177.142857) is best
 * At e = 1794 bits, k=7 (287.125000) < k=6 (287.142857)
 * At e = 2048 bits, k=7 (318.875000) is best
 * At e = 4096 bits, k=7 (574.875000) is best
 *
 * The numbers in parentheses are the expected number of multiplications
 * needed to do the computation.  The normal russian-peasant modular
 * exponentiation technique always uses (e-1)/2.  For exponents as
 * small as 192 bits (below the range of current factoring algorithms),
 * half of the multiplies are eliminated, 45.2 as opposed to the naive
 * 95.5.  Counting the 191 squarings as 3/4 a multiply each (squaring
 * proper is just over half of multiplying, but the Montgomery
 * reduction in each case is also a multiply), that's 143.25
 * multiplies, for totals of 188.45 vs. 238.75 - a 21% savings.
 * For larger exponents (like 512 bits), it's 483.92 vs. 639.25, a
 * 24.3% savings.  It asymptotically approaches 25%.
 *
 * Um, actually there's a slightly more accurate way to count, which
 * really is the average number of multiplies required, averaged
 * uniformly over all 2^(e-1) e-bit numbers, from 2^(e-1) to (2^e)-1.
 * It's based on the recurrence that for the last b bits, b <= k, at
 * most one multiply is needed (and none at all 1/2^b of the time),
 * while when b > k, the odds are 1/2 each way that the bit will be
 * 0 (meaning no multiplies to reduce it to the b-1-bit case) and
 * 1/2 that the bit will be 1, starting a k-bit window and requiring
 * 1 multiply beyond the b-k-bit case.  Since the most significant
 * bit is always 1, a k-bit window always starts there, and that
 * multiply is by 1, so it isn't a multiply at all.  Thus, the
 * number of multiplies is simply that needed for the last e-k bits.
 * This recurrence produces:
 *
 * At e =    1 bits, k=1   (0.000000) is best
 * At e =    2 bits, k=1   (0.500000) is best
 * At e =    4 bits, k=1   (1.500000) is best
 * At e =    6 bits, k=2   (2.437500) < k=1   (2.500000)
 * At e =    8 bits, k=2   (3.109375) is best
 * At e =  1_6 bits, k=2   (5.777771) is best
 * At e =   24 bits, k=3   (8.437629) < k=2   (8.444444)
 * At e =  3_2 bits, k=3  (10.437492) is best
 * At e =  6_4 bits, k=3  (18.437500) is best
 * At e =   81 bits, k=4  (22.6_40000) < k=3  (22.687500)
 * At e =  128 bits, k=4 (3_2.040000) is best
 * At e =  241 bits, k=5  (54.611111) < k=4  (54.6_40000)
 * At e =  256 bits, k=5  (57.111111) is best
 * At e =  512 bits, k=5  (99.777778) is best
 * At e =  673 bits, k=6 (126.591837) < k=5 (126.611111)
 * At e = 1024 bits, k=6 (176.734694) is best
 * At e = 1793 bits, k=7 (286.578125) < k=6 (286.591837)
 * At e = 2048 bits, k=7 (318.453125) is best
 * At e = 4096 bits, k=7 (574.453125) is best
 *
 * This has the rollover points at 6, 24, 81, 241, 673 and 1793 instead
 * of 8, 26, 82, 242, 674, and 1794.  Not a very big difference.
 * (The numbers past that are k=8 at 4609 and k=9 at 11521,
 * vs. one more in each case for the approximation.)
 *
 * Given that exponents for which k>7 are useful are uncommon,
 * a fixed size table for k <= 7 is used for simplicity.
 *
 * The basic number of squarings needed is e-1, although a k-bit
 * window (for k > 1) can save, on average, k-2 of those, too.
 * That savings currently isn't counted here.  It would drive the
 * crossover points slightly lower.
 * (Actually, this win is also reduced in the DoubleExpMod case,
 * meaning we'd have to split the tables.  Except for that, the
 * multiplies by powers of the two bases are independent, so
 * the same logic applies to each as the single case.)
 *
 * Table entry i is the largest number of bits in an exponent to
 * process with a window size of i+1.  Entry 6 is the largest
 * possible unsigned number, so the window will never be more
 * than 7 bits, requiring 2^6 = 0x40 slots.
 */
#define BNEXPMOD_MAX_WINDOW	7
static unsigned const bnExpModThreshTable[BNEXPMOD_MAX_WINDOW] = {
	5, 23, 80, 240, 672, 1792, (unsigned)-1
/*	7, 25, 81, 241, 673, 1793, (unsigned)-1	 ### The old approximations */
};

/*
 * Perform modular exponentiation, as fast as possible!  This uses
 * Montgomery reduction, optimized squaring, and windowed exponentiation.
 * The modulus "mod" MUST be odd!
 *
 * This returns 0 on success, -1 on out of memory.
 *
 * The window algorithm:
 * The idea is to keep a running product of b1 = n^(high-order bits of exp),
 * and then keep appending exponent bits to it.  The following patterns
 * apply to a 3-bit window (k = 3):
 * To append   0: square
 * To append   1: square, multiply by n^1
 * To append  10: square, multiply by n^1, square
 * To append  11: square, square, multiply by n^3
 * To append 100: square, multiply by n^1, square, square
 * To append 101: square, square, square, multiply by n^5
 * To append 110: square, square, multiply by n^3, square
 * To append 111: square, square, square, multiply by n^7
 *
 * Since each pattern involves only one multiply, the longer the pattern
 * the better, except that a 0 (no multiplies) can be appended directly.
 * We precompute a table of odd powers of n, up to 2^k, and can then
 * multiply k bits of exponent at a time.  Actually, assuming random
 * exponents, there is on average one zero bit between needs to
 * multiply (1/2 of the time there's none, 1/4 of the time there's 1,
 * 1/8 of the time, there's 2, 1/64 of the time, there's 3, etc.), so
 * you have to do one multiply per k+1 bits of exponent.
 *
 * The loop walks down the exponent, squaring the result buffer as
 * it goes.  There is a wbits+1 bit lookahead buffer, buf, that is
 * filled with the upcoming exponent bits.  (What is read after the
 * end of the exponent is unimportant, but it is filled with zero here.)
 * When the most-significant bit of this buffer becomes set, i.e.
 * (buf & tblmask) != 0, we have to decide what pattern to multiply
 * by, and when to do it.  We decide, remember to do it in future
 * after a suitable number of squarings have passed (e.g. a pattern
 * of "100" in the buffer requires that we multiply by n^1 immediately;
 * a pattern of "110" calls for multiplying by n^3 after one more
 * squaring), clear the buffer, and continue.
 *
 * When we start, there is one more optimization: the result buffer
 * is implcitly one, so squaring it or multiplying by it can be
 * optimized away.  Further, if we start with a pattern like "100"
 * in the lookahead window, rather than placing n into the buffer
 * and then starting to square it, we have already computed n^2
 * to compute the odd-powers table, so we can place that into
 * the buffer and save a squaring.
 *
 * This means that if you have a k-bit window, to compute n^z,
 * where z is the high k bits of the exponent, 1/2 of the time
 * it requires no squarings.  1/4 of the time, it requires 1
 * squaring, ... 1/2^(k-1) of the time, it reqires k-2 squarings.
 * And the remaining 1/2^(k-1) of the time, the top k bits are a
 * 1 followed by k-1 0 bits, so it again only requires k-2
 * squarings, not k-1.  The average of these is 1.  Add that
 * to the one squaring we have to do to compute the table,
 * and you'll see that a k-bit window saves k-2 squarings
 * as well as reducing the multiplies.  (It actually doesn't
 * hurt in the case k = 1, either.)
 *
 * n must have mlen words allocated.  Although fewer may be in use
 * when n is passed in, all are in use on exit.
 */
int
lbnExpMod_64(BNWORD64 *result, BNWORD64 const *n, unsigned nlen,
	BNWORD64 const *e, unsigned elen, BNWORD64 *mod, unsigned mlen)
{
	BNWORD64 *table[1 << (BNEXPMOD_MAX_WINDOW-1)];
				/* Table of odd powers of n */
	unsigned ebits;		/* Exponent bits */
	unsigned wbits;		/* Window size */
	unsigned tblmask;	/* Mask of exponentiation window */
	BNWORD64 bitpos;	/* Mask of current look-ahead bit */
	unsigned buf;		/* Buffer of exponent bits */
	unsigned multpos;	/* Where to do pending multiply */
	BNWORD64 const *mult;	/* What to multiply by */
	unsigned i;		/* Loop counter */
	int isone;		/* Flag: accum. is implicitly one */
	BNWORD64 *a, *b;	/* Working buffers/accumulators */
	BNWORD64 *t;		/* Pointer into the working buffers */
	BNWORD64 inv;		/* mod^-1 modulo 2^64 */
	int y;			/* bnYield() result */

	assert(mlen);
	assert(nlen <= mlen);

	/* First, a couple of trivial cases. */
	elen = lbnNorm_64(e, elen);
	if (!elen) {
		/* x ^ 0 == 1 */
		lbnZero_64(result, mlen);
		BIGLITTLE(result[-1],result[0]) = 1;
		return 0;
	}
	ebits = lbnBits_64(e, elen);
	if (ebits == 1) {
		/* x ^ 1 == x */
		if (n != result)
			lbnCopy_64(result, n, nlen);
		if (mlen > nlen)
			lbnZero_64(BIGLITTLE(result-nlen,result+nlen),
			           mlen-nlen);
		return 0;
	}

	/* Okay, now move the exponent pointer to the most-significant word */
	e = BIGLITTLE(e-elen, e+elen-1);

	/* Look up appropriate k-1 for the exponent - tblmask = 1<<(k-1) */
	wbits = 0;
	while (ebits > bnExpModThreshTable[wbits])
		wbits++;

	/* Allocate working storage: two product buffers and the tables. */
	LBNALLOC(a, BNWORD64, 2*mlen);
	if (!a)
		return -1;
	LBNALLOC(b, BNWORD64, 2*mlen);
	if (!b) {
		LBNFREE(a, 2*mlen);
		return -1;
	}

	/* Convert to the appropriate table size: tblmask = 1<<(k-1) */
	tblmask = 1u << wbits;

	/* We have the result buffer available, so use it. */
	table[0] = result;

	/*
	 * Okay, we now have a minimal-sized table - expand it.
	 * This is allowed to fail!  If so, scale back the table size
	 * and proceed.
	 */
	for (i = 1; i < tblmask; i++) {
		LBNALLOC(t, BNWORD64, mlen);
		if (!t)	/* Out of memory!  Quit the loop. */
			break;
		table[i] = t;
	}

	/* If we stopped, with i < tblmask, shrink the tables appropriately */
	while (tblmask > i) {
		wbits--;
		tblmask >>= 1;
	}
	/* Free up our overallocations */
	while (--i > tblmask)
		LBNFREE(table[i], mlen);

	/* Okay, fill in the table */

	/* Compute the necessary modular inverse */
	inv = lbnMontInv1_64(mod[BIGLITTLE(-1,0)]);	/* LSW of modulus */

	/* Convert n to Montgomery form */

	/* Move n up "mlen" words into a */
	t = BIGLITTLE(a-mlen, a+mlen);
	lbnCopy_64(t, n, nlen);
	lbnZero_64(a, mlen);
	/* Do the division - lose the quotient into the high-order words */
	(void)lbnDiv_64(t, a, mlen+nlen, mod, mlen);
	/* Copy into first table entry */
	lbnCopy_64(table[0], a, mlen);

	/* Square a into b */
	lbnMontSquare_64(b, a, mod, mlen, inv);

	/* Use high half of b to initialize the table */
	t = BIGLITTLE(b-mlen, b+mlen);
	for (i = 1; i < tblmask; i++) {
		lbnMontMul_64(a, t, table[i-1], mod, mlen, inv);
		lbnCopy_64(table[i], BIGLITTLE(a-mlen, a+mlen), mlen);
#if BNYIELD
		if (bnYield && (y = bnYield()) < 0)
			goto yield;
#endif
	}

	/* We might use b = n^2 later... */

	/* Initialze the fetch pointer */
	bitpos = (BNWORD64)1 << ((ebits-1) & (64-1));	/* Initialize mask */

	/* This should point to the msbit of e */
	assert((*e & bitpos) != 0);

	/*
	 * Pre-load the window.  Becuase the window size is
	 * never larger than the exponent size, there is no need to
	 * detect running off the end of e in here.
	 *
	 * The read-ahead is controlled by elen and the bitpos mask.
	 * Note that this is *ahead* of ebits, which tracks the
	 * most significant end of the window.  The purpose of this
	 * initialization is to get the two wbits+1 bits apart,
	 * like they should be.
	 *
	 * Note that bitpos and e1len together keep track of the
	 * lookahead read pointer in the exponent that is used here.
	 */
	buf = 0;
	for (i = 0; i <= wbits; i++) {
		buf = (buf << 1) | ((*e & bitpos) != 0);
		bitpos >>= 1;
		if (!bitpos) {
			BIGLITTLE(e++,e--);
			bitpos = (BNWORD64)1 << (64-1);
			elen--;
		}
	}
	assert(buf & tblmask);

	/*
	 * Set the pending multiply positions to a location that will
	 * never be encountered, thus ensuring that nothing will happen
	 * until the need for a multiply appears and one is scheduled.
	 */
	multpos = ebits;	/* A NULL value */
	mult = 0;	/* Force a crash if we use these */

	/*
	 * Okay, now begins the real work.  The first step is
	 * slightly magic, so it's done outside the main loop,
	 * but it's very similar to what's inside.
	 */
	ebits--;	/* Start processing the first bit... */
	isone = 1;

	/*
	 * This is just like the multiply in the loop, except that
	 * - We know the msbit of buf is set, and
	 * - We have the extra value n^2 floating around.
	 * So, do the usual computation, and if the result is that
	 * the buffer should be multiplied by n^1 immediately
	 * (which we'd normally then square), we multiply it
	 * (which reduces to a copy, which reduces to setting a flag)
	 * by n^2 and skip the squaring.  Thus, we do the
	 * multiply and the squaring in one step.
	 */
	assert(buf & tblmask);
	multpos = ebits - wbits;
	while ((buf & 1) == 0) {
		buf >>= 1;
		multpos++;
	}
	/* Intermediates can wrap, but final must NOT */
	assert(multpos <= ebits);
	mult = table[buf>>1];
	buf = 0;

	/* Special case: use already-computed value sitting in buffer */
	if (multpos == ebits)
		isone = 0;

	/*
	 * At this point, the buffer (which is the high half of b) holds
	 * either 1 (implicitly, as the "isone" flag is set), or n^2.
	 */

	/*
	 * The main loop.  The procedure is:
	 * - Advance the window
	 * - If the most-significant bit of the window is set,
	 *   schedule a multiply for the appropriate time in the
	 *   future (may be immediately)
	 * - Perform any pending multiples
	 * - Check for termination
	 * - Square the buffer
	 *
	 * At any given time, the acumulated product is held in
	 * the high half of b.
	 */
	for (;;) {
		ebits--;

		/* Advance the window */
		assert(buf < tblmask);
		buf <<= 1;
		/*
		 * This reads ahead of the current exponent position
		 * (controlled by ebits), so we have to be able to read
		 * past the lsb of the exponents without error.
		 */
		if (elen) {
			buf |= ((*e & bitpos) != 0);
			bitpos >>= 1;
			if (!bitpos) {
				BIGLITTLE(e++,e--);
				bitpos = (BNWORD64)1 << (64-1);
				elen--;
			}
		}

		/* Examine the window for pending multiplies */
		if (buf & tblmask) {
			multpos = ebits - wbits;
			while ((buf & 1) == 0) {
				buf >>= 1;
				multpos++;
			}
			/* Intermediates can wrap, but final must NOT */
			assert(multpos <= ebits);
			mult = table[buf>>1];
			buf = 0;
		}

		/* If we have a pending multiply, do it */
		if (ebits == multpos) {
			/* Multiply by the table entry remembered previously */
			t = BIGLITTLE(b-mlen, b+mlen);
			if (isone) {
				/* Multiply by 1 is a trivial case */
				lbnCopy_64(t, mult, mlen);
				isone = 0;
			} else {
				lbnMontMul_64(a, t, mult, mod, mlen, inv);
				/* Swap a and b */
				t = a; a = b; b = t;
			}
		}

		/* Are we done? */
		if (!ebits)
			break;

		/* Square the input */
		if (!isone) {
			t = BIGLITTLE(b-mlen, b+mlen);
			lbnMontSquare_64(a, t, mod, mlen, inv);
			/* Swap a and b */
			t = a; a = b; b = t;
		}
#if BNYIELD
		if (bnYield && (y = bnYield()) < 0)
			goto yield;
#endif
	} /* for (;;) */

	assert(!isone);
	assert(!buf);

	/* DONE! */

	/* Convert result out of Montgomery form */
	t = BIGLITTLE(b-mlen, b+mlen);
	lbnCopy_64(b, t, mlen);
	lbnZero_64(t, mlen);
	lbnMontReduce_64(b, mod, mlen, inv);
	lbnCopy_64(result, t, mlen);
	/*
	 * Clean up - free intermediate storage.
	 * Do NOT free table[0], which is the result
	 * buffer.
	 */
	y = 0;
#if BNYIELD
yield:
#endif
	while (--tblmask)
		LBNFREE(table[tblmask], mlen);
	LBNFREE(b, 2*mlen);
	LBNFREE(a, 2*mlen);

	return y;	/* Success */
}

/*
 * Compute and return n1^e1 * n2^e2 mod "mod".
 * result may be either input buffer, or something separate.
 * It must be "mlen" words long.
 *
 * There is a current position in the exponents, which is kept in e1bits.
 * (The exponents are swapped if necessary so e1 is the longer of the two.)
 * At any given time, the value in the accumulator is
 * n1^(e1>>e1bits) * n2^(e2>>e1bits) mod "mod".
 * As e1bits is counted down, this is updated, by squaring it and doing
 * any necessary multiplies.
 * To decide on the necessary multiplies, two windows, each w1bits+1 bits
 * wide, are maintained in buf1 and buf2, which read *ahead* of the
 * e1bits position (with appropriate handling of the case when e1bits
 * drops below w1bits+1).  When the most-significant bit of either window
 * becomes set, indicating that something needs to be multiplied by
 * the accumulator or it will get out of sync, the window is examined
 * to see which power of n1 or n2 to multiply by, and when (possibly
 * later, if the power is greater than 1) the multiply should take
 * place.  Then the multiply and its location are remembered and the
 * window is cleared.
 *
 * If we had every power of n1 in the table, the multiply would always
 * be w1bits steps in the future.  But we only keep the odd powers,
 * so instead of waiting w1bits squarings and then multiplying
 * by n1^k, we wait w1bits-k squarings and multiply by n1.
 *
 * Actually, w2bits can be less than w1bits, but the window is the same
 * size, to make it easier to keep track of where we're reading.  The
 * appropriate number of low-order bits of the window are just ignored.
 */
int
lbnDoubleExpMod_64(BNWORD64 *result,
                   BNWORD64 const *n1, unsigned n1len,
                   BNWORD64 const *e1, unsigned e1len,
                   BNWORD64 const *n2, unsigned n2len,
                   BNWORD64 const *e2, unsigned e2len,
                   BNWORD64 *mod, unsigned mlen)
{
	BNWORD64 *table1[1 << (BNEXPMOD_MAX_WINDOW-1)];
					/* Table of odd powers of n1 */
	BNWORD64 *table2[1 << (BNEXPMOD_MAX_WINDOW-1)];
					/* Table of odd powers of n2 */
	unsigned e1bits, e2bits;	/* Exponent bits */
	unsigned w1bits, w2bits;	/* Window sizes */
	unsigned tblmask;		/* Mask of exponentiation window */
	BNWORD64 bitpos;		/* Mask of current look-ahead bit */
	unsigned buf1, buf2;		/* Buffer of exponent bits */
	unsigned mult1pos, mult2pos;	/* Where to do pending multiply */
	BNWORD64 const *mult1, *mult2;	/* What to multiply by */
	unsigned i;			/* Loop counter */
	int isone;			/* Flag: accum. is implicitly one */
	BNWORD64 *a, *b;		/* Working buffers/accumulators */
	BNWORD64 *t;			/* Pointer into the working buffers */
	BNWORD64 inv;			/* mod^-1 modulo 2^64 */
	int y;				/* bnYield() result */

	assert(mlen);
	assert(n1len <= mlen);
	assert(n2len <= mlen);

	/* First, a couple of trivial cases. */
	e1len = lbnNorm_64(e1, e1len);
	e2len = lbnNorm_64(e2, e2len);

	/* Ensure that the first exponent is the longer */
	e1bits = lbnBits_64(e1, e1len);
	e2bits = lbnBits_64(e2, e2len);
	if (e1bits < e2bits) {
		i = e1len; e1len = e2len; e2len = i;
		i = e1bits; e1bits = e2bits; e2bits = i;
		t = (BNWORD64 *)n1; n1 = n2; n2 = t;
		t = (BNWORD64 *)e1; e1 = e2; e2 = t;
	}
	assert(e1bits >= e2bits);

	/* Handle a trivial case */
	if (!e2len)
		return lbnExpMod_64(result, n1, n1len, e1, e1len, mod, mlen);
	assert(e2bits);

	/* The code below fucks up if the exponents aren't at least 2 bits */
	if (e1bits == 1) {
		assert(e2bits == 1);

		LBNALLOC(a, BNWORD64, n1len+n2len);
		if (!a)
			return -1;

		lbnMul_64(a, n1, n1len, n2, n2len);
		/* Do a direct modular reduction */
		if (n1len + n2len >= mlen)
			(void)lbnDiv_64(a+mlen, a, n1len+n2len, mod, mlen);
		lbnCopy_64(result, a, mlen);
		LBNFREE(a, n1len+n2len);
		return 0;
	}

	/* Okay, now move the exponent pointers to the most-significant word */
	e1 = BIGLITTLE(e1-e1len, e1+e1len-1);
	e2 = BIGLITTLE(e2-e2len, e2+e2len-1);

	/* Look up appropriate k-1 for the exponent - tblmask = 1<<(k-1) */
	w1bits = 0;
	while (e1bits > bnExpModThreshTable[w1bits])
		w1bits++;
	w2bits = 0;
	while (e2bits > bnExpModThreshTable[w2bits])
		w2bits++;

	assert(w1bits >= w2bits);

	/* Allocate working storage: two product buffers and the tables. */
	LBNALLOC(a, BNWORD64, 2*mlen);
	if (!a)
		return -1;
	LBNALLOC(b, BNWORD64, 2*mlen);
	if (!b) {
		LBNFREE(a, 2*mlen);
		return -1;
	}

	/* Convert to the appropriate table size: tblmask = 1<<(k-1) */
	tblmask = 1u << w1bits;
	/* Use buf2 for its size, temporarily */
	buf2 = 1u << w2bits;

	LBNALLOC(t, BNWORD64, mlen);
	if (!t) {
		LBNFREE(b, 2*mlen);
		LBNFREE(a, 2*mlen);
		return -1;
	}
	table1[0] = t;
	table2[0] = result;

	/*
	 * Okay, we now have some minimal-sized tables - expand them.
	 * This is allowed to fail!  If so, scale back the table sizes
	 * and proceed.  We allocate both tables at the same time
	 * so if it fails partway through, they'll both be a reasonable
	 * size rather than one huge and one tiny.
	 * When i passes buf2 (the number of entries in the e2 window,
	 * which may be less than the number of entries in the e1 window),
	 * stop allocating e2 space.
	 */
	for (i = 1; i < tblmask; i++) {
		LBNALLOC(t, BNWORD64, mlen);
		if (!t)	/* Out of memory!  Quit the loop. */
			break;
		table1[i] = t;
		if (i < buf2) {
			LBNALLOC(t, BNWORD64, mlen);
			if (!t) {
				LBNFREE(table1[i], mlen);
				break;
			}
			table2[i] = t;
		}
	}

	/* If we stopped, with i < tblmask, shrink the tables appropriately */
	while (tblmask > i) {
		w1bits--;
		tblmask >>= 1;
	}
	/* Free up our overallocations */
	while (--i > tblmask) {
		if (i < buf2)
			LBNFREE(table2[i], mlen);
		LBNFREE(table1[i], mlen);
	}
	/* And shrink the second window too, if needed */
	if (w2bits > w1bits) {
		w2bits = w1bits;
		buf2 = tblmask;
	}

	/*
	 * From now on, use the w2bits variable for the difference
	 * between w1bits and w2bits.
	 */
	w2bits = w1bits-w2bits;

	/* Okay, fill in the tables */

	/* Compute the necessary modular inverse */
	inv = lbnMontInv1_64(mod[BIGLITTLE(-1,0)]);	/* LSW of modulus */

	/* Convert n1 to Montgomery form */

	/* Move n1 up "mlen" words into a */
	t = BIGLITTLE(a-mlen, a+mlen);
	lbnCopy_64(t, n1, n1len);
	lbnZero_64(a, mlen);
	/* Do the division - lose the quotient into the high-order words */
	(void)lbnDiv_64(t, a, mlen+n1len, mod, mlen);
	/* Copy into first table entry */
	lbnCopy_64(table1[0], a, mlen);

	/* Square a into b */
	lbnMontSquare_64(b, a, mod, mlen, inv);

	/* Use high half of b to initialize the first table */
	t = BIGLITTLE(b-mlen, b+mlen);
	for (i = 1; i < tblmask; i++) {
		lbnMontMul_64(a, t, table1[i-1], mod, mlen, inv);
		lbnCopy_64(table1[i], BIGLITTLE(a-mlen, a+mlen), mlen);
#if BNYIELD
		if (bnYield && (y = bnYield()) < 0)
			goto yield;
#endif
	}

	/* Convert n2 to Montgomery form */

	t = BIGLITTLE(a-mlen, a+mlen);
	/* Move n2 up "mlen" words into a */
	lbnCopy_64(t, n2, n2len);
	lbnZero_64(a, mlen);
	/* Do the division - lose the quotient into the high-order words */
	(void)lbnDiv_64(t, a, mlen+n2len, mod, mlen);
	/* Copy into first table entry */
	lbnCopy_64(table2[0], a, mlen);

	/* Square it into a */
	lbnMontSquare_64(a, table2[0], mod, mlen, inv);
	/* Copy to b, low half */
	lbnCopy_64(b, t, mlen);

	/* Use b to initialize the second table */
	for (i = 1; i < buf2; i++) {
		lbnMontMul_64(a, b, table2[i-1], mod, mlen, inv);
		lbnCopy_64(table2[i], t, mlen);
#if BNYIELD
		if (bnYield && (y = bnYield()) < 0)
			goto yield;
#endif
	}

	/*
	 * Okay, a recap: at this point, the low part of b holds
	 * n2^2, the high part holds n1^2, and the tables are
	 * initialized with the odd powers of n1 and n2 from 1
	 * through 2*tblmask-1 and 2*buf2-1.
	 *
	 * We might use those squares in b later, or we might not.
	 */

	/* Initialze the fetch pointer */
	bitpos = (BNWORD64)1 << ((e1bits-1) & (64-1));	/* Initialize mask */

	/* This should point to the msbit of e1 */
	assert((*e1 & bitpos) != 0);

	/*
	 * Pre-load the windows.  Becuase the window size is
	 * never larger than the exponent size, there is no need to
	 * detect running off the end of e1 in here.
	 *
	 * The read-ahead is controlled by e1len and the bitpos mask.
	 * Note that this is *ahead* of e1bits, which tracks the
	 * most significant end of the window.  The purpose of this
	 * initialization is to get the two w1bits+1 bits apart,
	 * like they should be.
	 *
	 * Note that bitpos and e1len together keep track of the
	 * lookahead read pointer in the exponent that is used here.
	 * e2len is not decremented, it is only ever compared with
	 * e1len as *that* is decremented.
	 */
	buf1 = buf2 = 0;
	for (i = 0; i <= w1bits; i++) {
		buf1 = (buf1 << 1) | ((*e1 & bitpos) != 0);
		if (e1len <= e2len)
			buf2 = (buf2 << 1) | ((*e2 & bitpos) != 0);
		bitpos >>= 1;
		if (!bitpos) {
			BIGLITTLE(e1++,e1--);
			if (e1len <= e2len)
				BIGLITTLE(e2++,e2--);
			bitpos = (BNWORD64)1 << (64-1);
			e1len--;
		}
	}
	assert(buf1 & tblmask);

	/*
	 * Set the pending multiply positions to a location that will
	 * never be encountered, thus ensuring that nothing will happen
	 * until the need for a multiply appears and one is scheduled.
	 */
	mult1pos = mult2pos = e1bits;	/* A NULL value */
	mult1 = mult2 = 0;	/* Force a crash if we use these */

	/*
	 * Okay, now begins the real work.  The first step is
	 * slightly magic, so it's done outside the main loop,
	 * but it's very similar to what's inside.
	 */
	isone = 1;	/* Buffer is implicitly 1, so replace * by copy */
	e1bits--;	/* Start processing the first bit... */

	/*
	 * This is just like the multiply in the loop, except that
	 * - We know the msbit of buf1 is set, and
	 * - We have the extra value n1^2 floating around.
	 * So, do the usual computation, and if the result is that
	 * the buffer should be multiplied by n1^1 immediately
	 * (which we'd normally then square), we multiply it
	 * (which reduces to a copy, which reduces to setting a flag)
	 * by n1^2 and skip the squaring.  Thus, we do the
	 * multiply and the squaring in one step.
	 */
	assert(buf1 & tblmask);
	mult1pos = e1bits - w1bits;
	while ((buf1 & 1) == 0) {
		buf1 >>= 1;
		mult1pos++;
	}
	/* Intermediates can wrap, but final must NOT */
	assert(mult1pos <= e1bits);
	mult1 = table1[buf1>>1];
	buf1 = 0;

	/* Special case: use already-computed value sitting in buffer */
	if (mult1pos == e1bits)
		isone = 0;

	/*
	 * The first multiply by a power of n2.  Similar, but
	 * we might not even want to schedule a multiply if e2 is
	 * shorter than e1, and the window might be shorter so
	 * we have to leave the low w2bits bits alone.
	 */
	if (buf2 & tblmask) {
		/* Remember low-order bits for later */
		i = buf2 & ((1u << w2bits) - 1);
		buf2 >>= w2bits;
		mult2pos = e1bits - w1bits + w2bits;
		while ((buf2 & 1) == 0) {
			buf2 >>= 1;
			mult2pos++;
		}
		assert(mult2pos <= e1bits);
		mult2 = table2[buf2>>1];
		buf2 = i;

		if (mult2pos == e1bits) {
			t = BIGLITTLE(b-mlen, b+mlen);
			if (isone) {
				lbnCopy_64(t, b, mlen);	/* Copy low to high */
				isone = 0;
			} else {
				lbnMontMul_64(a, t, b, mod, mlen, inv);
				t = a; a = b; b = t;
			}
		}
	}

	/*
	 * At this point, the buffer (which is the high half of b)
	 * holds either 1 (implicitly, as the "isone" flag is set),
	 * n1^2, n2^2 or n1^2 * n2^2.
	 */

	/*
	 * The main loop.  The procedure is:
	 * - Advance the windows
	 * - If the most-significant bit of a window is set,
	 *   schedule a multiply for the appropriate time in the
	 *   future (may be immediately)
	 * - Perform any pending multiples
	 * - Check for termination
	 * - Square the buffers
	 *
	 * At any given time, the acumulated product is held in
	 * the high half of b.
	 */
	for (;;) {
		e1bits--;

		/* Advance the windows */
		assert(buf1 < tblmask);
		buf1 <<= 1;
		assert(buf2 < tblmask);
		buf2 <<= 1;
		/*
		 * This reads ahead of the current exponent position
		 * (controlled by e1bits), so we have to be able to read
		 * past the lsb of the exponents without error.
		 */
		if (e1len) {
			buf1 |= ((*e1 & bitpos) != 0);
			if (e1len <= e2len)
				buf2 |= ((*e2 & bitpos) != 0);
			bitpos >>= 1;
			if (!bitpos) {
				BIGLITTLE(e1++,e1--);
				if (e1len <= e2len)
					BIGLITTLE(e2++,e2--);
				bitpos = (BNWORD64)1 << (64-1);
				e1len--;
			}
		}

		/* Examine the first window for pending multiplies */
		if (buf1 & tblmask) {
			mult1pos = e1bits - w1bits;
			while ((buf1 & 1) == 0) {
				buf1 >>= 1;
				mult1pos++;
			}
			/* Intermediates can wrap, but final must NOT */
			assert(mult1pos <= e1bits);
			mult1 = table1[buf1>>1];
			buf1 = 0;
		}

		/*
		 * Examine the second window for pending multiplies.
		 * Window 2 can be smaller than window 1, but we
		 * keep the same number of bits in buf2, so we need
		 * to ignore any low-order bits in the buffer when
		 * computing what to multiply by, and recompute them
		 * later.
		 */
		if (buf2 & tblmask) {
			/* Remember low-order bits for later */
			i = buf2 & ((1u << w2bits) - 1);
			buf2 >>= w2bits;
			mult2pos = e1bits - w1bits + w2bits;
			while ((buf2 & 1) == 0) {
				buf2 >>= 1;
				mult2pos++;
			}
			assert(mult2pos <= e1bits);
			mult2 = table2[buf2>>1];
			buf2 = i;
		}


		/* If we have a pending multiply for e1, do it */
		if (e1bits == mult1pos) {
			/* Multiply by the table entry remembered previously */
			t = BIGLITTLE(b-mlen, b+mlen);
			if (isone) {
				/* Multiply by 1 is a trivial case */
				lbnCopy_64(t, mult1, mlen);
				isone = 0;
			} else {
				lbnMontMul_64(a, t, mult1, mod, mlen, inv);
				/* Swap a and b */
				t = a; a = b; b = t;
			}
		}

		/* If we have a pending multiply for e2, do it */
		if (e1bits == mult2pos) {
			/* Multiply by the table entry remembered previously */
			t = BIGLITTLE(b-mlen, b+mlen);
			if (isone) {
				/* Multiply by 1 is a trivial case */
				lbnCopy_64(t, mult2, mlen);
				isone = 0;
			} else {
				lbnMontMul_64(a, t, mult2, mod, mlen, inv);
				/* Swap a and b */
				t = a; a = b; b = t;
			}
		}

		/* Are we done? */
		if (!e1bits)
			break;

		/* Square the buffer */
		if (!isone) {
			t = BIGLITTLE(b-mlen, b+mlen);
			lbnMontSquare_64(a, t, mod, mlen, inv);
			/* Swap a and b */
			t = a; a = b; b = t;
		}
#if BNYIELD
		if (bnYield && (y = bnYield()) < 0)
			goto yield;
#endif
	} /* for (;;) */

	assert(!isone);
	assert(!buf1);
	assert(!buf2);

	/* DONE! */

	/* Convert result out of Montgomery form */
	t = BIGLITTLE(b-mlen, b+mlen);
	lbnCopy_64(b, t, mlen);
	lbnZero_64(t, mlen);
	lbnMontReduce_64(b, mod, mlen, inv);
	lbnCopy_64(result, t, mlen);

	/* Clean up - free intermediate storage */
	y = 0;
#if BNYIELD
yield:
#endif
	buf2 = tblmask >> w2bits;
	while (--tblmask) {
		if (tblmask < buf2)
			LBNFREE(table2[tblmask], mlen);
		LBNFREE(table1[tblmask], mlen);
	}
	t = table1[0];
	LBNFREE(t, mlen);
	LBNFREE(b, 2*mlen);
	LBNFREE(a, 2*mlen);

	return y;	/* Success */
}

/*
 * 2^exp (mod mod).  This is an optimized version for use in Fermat
 * tests.  The input value of n is ignored; it is returned with
 * "mlen" words valid.
 */
int
lbnTwoExpMod_64(BNWORD64 *n, BNWORD64 const *exp, unsigned elen,
	BNWORD64 *mod, unsigned mlen)
{
	unsigned e;	/* Copy of high words of the exponent */
	unsigned bits;	/* Assorted counter of bits */
	BNWORD64 const *bitptr;
	BNWORD64 bitword, bitpos;
	BNWORD64 *a, *b, *a1;
	BNWORD64 inv;
	int y;		/* Result of bnYield() */

	assert(mlen);

	bitptr = BIGLITTLE(exp-elen, exp+elen-1);
	bitword = *bitptr;
	assert(bitword);

	/* Clear n for future use. */
	lbnZero_64(n, mlen);

	bits = lbnBits_64(exp, elen);

	/* First, a couple of trivial cases. */
	if (bits <= 1) {
		/* 2 ^ 0 == 1,  2 ^ 1 == 2 */
		BIGLITTLE(n[-1],n[0]) = (BNWORD64)1<<elen;
		return 0;
	}

	/* Set bitpos to the most significant bit */
	bitpos = (BNWORD64)1 << ((bits-1) & (64-1));

	/* Now, count the bits in the modulus. */
	bits = lbnBits_64(mod, mlen);
	assert(bits > 1);	/* a 1-bit modulus is just stupid... */

	/*
	 * We start with 1<<e, where "e" is as many high bits of the
	 * exponent as we can manage without going over the modulus.
	 * This first loop finds "e".
	 */
	e = 1;
	while (elen) {
		/* Consume the first bit */
		bitpos >>= 1;
		if (!bitpos) {
			if (!--elen)
				break;
			bitword = BIGLITTLE(*++bitptr,*--bitptr);
			bitpos = (BNWORD64)1<<(64-1);
		}
		e = (e << 1) | ((bitpos & bitword) != 0);
		if (e >= bits) {	/* Overflow!  Back out. */
			e >>= 1;
			break;
		}
	}
	/*
	 * The bit in "bitpos" being examined by the bit buffer has NOT
	 * been consumed yet.  This may be past the end of the exponent,
	 * in which case elen == 1.
	 */

	/* Okay, now, set bit "e" in n.  n is already zero. */
	inv = (BNWORD64)1 << (e & (64-1));
	e /= 64;
	BIGLITTLE(n[-e-1],n[e]) = inv;
	/*
	 * The effective length of n in words is now "e+1".
	 * This is used a little bit later.
	 */

	if (!elen)
		return 0;	/* That was easy! */

	/*
	 * We have now processed the first few bits.  The next step
	 * is to convert this to Montgomery form for further squaring.
	 */

	/* Allocate working storage: two product buffers */
	LBNALLOC(a, BNWORD64, 2*mlen);
	if (!a)
		return -1;
	LBNALLOC(b, BNWORD64, 2*mlen);
	if (!b) {
		LBNFREE(a, 2*mlen);
		return -1;
	}

	/* Convert n to Montgomery form */
	inv = BIGLITTLE(mod[-1],mod[0]);	/* LSW of modulus */
	assert(inv & 1);	/* Modulus must be odd */
	inv = lbnMontInv1_64(inv);
	/* Move n (length e+1, remember?) up "mlen" words into b */
	/* Note that we lie about a1 for a bit - it's pointing to b */
	a1 = BIGLITTLE(b-mlen,b+mlen);
	lbnCopy_64(a1, n, e+1);
	lbnZero_64(b, mlen);
	/* Do the division - dump the quotient into the high-order words */
	(void)lbnDiv_64(a1, b, mlen+e+1, mod, mlen);
	/*
	 * Now do the first squaring and modular reduction to put
	 * the number up in a1 where it belongs.
	 */
	lbnMontSquare_64(a, b, mod, mlen, inv);
	/* Fix up a1 to point to where it should go. */
	a1 = BIGLITTLE(a-mlen,a+mlen);

	/*
	 * Okay, now, a1 holds the number being accumulated, and
	 * b is a scratch register.  Start working:
	 */
	for (;;) {
		/*
		 * Is the bit set?  If so, double a1 as well.
		 * A modular doubling like this is very cheap.
		 */
		if (bitpos & bitword) {
			/*
			 * Double the number.  If there was a carry out OR
			 * the result is greater than the modulus, subract
			 * the modulus.
			 */
			if (lbnDouble_64(a1, mlen) ||
			    lbnCmp_64(a1, mod, mlen) > 0)
				(void)lbnSubN_64(a1, mod, mlen);
		}

		/* Advance to the next exponent bit */
		bitpos >>= 1;
		if (!bitpos) {
			if (!--elen)
				break;	/* Done! */
			bitword = BIGLITTLE(*++bitptr,*--bitptr);
			bitpos = (BNWORD64)1<<(64-1);
		}

		/*
		 * The elen/bitword/bitpos bit buffer is known to be
		 * non-empty, i.e. there is at least one more unconsumed bit.
		 * Thus, it's safe to square the number.
		 */
		lbnMontSquare_64(b, a1, mod, mlen, inv);
		/* Rename result (in b) back to a (a1, really). */
		a1 = b; b = a; a = a1;
		a1 = BIGLITTLE(a-mlen,a+mlen);
#if BNYIELD
		if (bnYield && (y = bnYield()) < 0)
			goto yield;
#endif
	}

	/* DONE!  Just a little bit of cleanup... */

	/*
	 * Convert result out of Montgomery form... this is
	 * just a Montgomery reduction.
	 */
	lbnCopy_64(a, a1, mlen);
	lbnZero_64(a1, mlen);
	lbnMontReduce_64(a, mod, mlen, inv);
	lbnCopy_64(n, a1, mlen);

	/* Clean up - free intermediate storage */
	y = 0;
#if BNYIELD
yield:
#endif
	LBNFREE(b, 2*mlen);
	LBNFREE(a, 2*mlen);

	return y;	/* Success */
}


/*
 * Returns a substring of the big-endian array of bytes representation
 * of the bignum array based on two parameters, the least significant
 * byte number (0 to start with the least significant byte) and the
 * length.  I.e. the number returned is a representation of
 * (bn / 2^(8*lsbyte)) % 2 ^ (8*buflen).
 *
 * It is an error if the bignum is not at least buflen + lsbyte bytes
 * long.
 *
 * This code assumes that the compiler has the minimal intelligence
 * neded to optimize divides and modulo operations on an unsigned data
 * type with a power of two.
 */
void
lbnExtractBigBytes_64(BNWORD64 const *n, unsigned char *buf,
	unsigned lsbyte, unsigned buflen)
{
	BNWORD64 t = 0;	/* Needed to shut up uninitialized var warnings */
	unsigned shift;

	lsbyte += buflen;

	shift = (8 * lsbyte) % 64;
	lsbyte /= (64/8);	/* Convert to word offset */
	BIGLITTLE(n -= lsbyte, n += lsbyte);

	if (shift)
		t = BIGLITTLE(n[-1],n[0]);

	while (buflen--) {
		if (!shift) {
			t = BIGLITTLE(*n++,*--n);
			shift = 64;
		}
		shift -= 8;
		*buf++ = (unsigned char)(t>>shift);
	}
}

/*
 * Merge a big-endian array of bytes into a bignum array.
 * The array had better be big enough.  This is
 * equivalent to extracting the entire bignum into a
 * large byte array, copying the input buffer into the
 * middle of it, and converting back to a bignum.
 *
 * The buf is "len" bytes long, and its *last* byte is at
 * position "lsbyte" from the end of the bignum.
 *
 * Note that this is a pain to get right.  Fortunately, it's hardly
 * critical for efficiency.
 */
void
lbnInsertBigBytes_64(BNWORD64 *n, unsigned char const *buf,
                  unsigned lsbyte,  unsigned buflen)
{
	BNWORD64 t = 0;	/* Shut up uninitialized varibale warnings */

	lsbyte += buflen;

	BIGLITTLE(n -= lsbyte/(64/8), n += lsbyte/(64/8));

	/* Load up leading odd bytes */
	if (lsbyte % (64/8)) {
		t = BIGLITTLE(*--n,*n++);
		t >>= (lsbyte * 8) % 64;
	}

	/* The main loop - merge into t, storing at each word boundary. */
	while (buflen--) {
		t = (t << 8) | *buf++;
		if ((--lsbyte % (64/8)) == 0)
			BIGLITTLE(*n++,*--n) = t;
	}

	/* Merge odd bytes in t into last word */
	lsbyte = (lsbyte * 8) % 64;
	if (lsbyte) {
		t <<= lsbyte;
		t |= (((BNWORD64)1 << lsbyte) - 1) & BIGLITTLE(n[0],n[-1]);
		BIGLITTLE(n[0],n[-1]) = t;
	}

	return;
}

/*
 * Returns a substring of the little-endian array of bytes representation
 * of the bignum array based on two parameters, the least significant
 * byte number (0 to start with the least significant byte) and the
 * length.  I.e. the number returned is a representation of
 * (bn / 2^(8*lsbyte)) % 2 ^ (8*buflen).
 *
 * It is an error if the bignum is not at least buflen + lsbyte bytes
 * long.
 *
 * This code assumes that the compiler has the minimal intelligence
 * neded to optimize divides and modulo operations on an unsigned data
 * type with a power of two.
 */
void
lbnExtractLittleBytes_64(BNWORD64 const *n, unsigned char *buf,
	unsigned lsbyte, unsigned buflen)
{
	BNWORD64 t = 0;	/* Needed to shut up uninitialized var warnings */

	BIGLITTLE(n -= lsbyte/(64/8), n += lsbyte/(64/8));

	if (lsbyte % (64/8)) {
		t = BIGLITTLE(*--n,*n++);
		t >>= (lsbyte % (64/8)) * 8 ;
	}

	while (buflen--) {
		if ((lsbyte++ % (64/8)) == 0)
			t = BIGLITTLE(*--n,*n++);
		*buf++ = (unsigned char)t;
		t >>= 8;
	}
}

/*
 * Merge a little-endian array of bytes into a bignum array.
 * The array had better be big enough.  This is
 * equivalent to extracting the entire bignum into a
 * large byte array, copying the input buffer into the
 * middle of it, and converting back to a bignum.
 *
 * The buf is "len" bytes long, and its first byte is at
 * position "lsbyte" from the end of the bignum.
 *
 * Note that this is a pain to get right.  Fortunately, it's hardly
 * critical for efficiency.
 */
void
lbnInsertLittleBytes_64(BNWORD64 *n, unsigned char const *buf,
                  unsigned lsbyte,  unsigned buflen)
{
	BNWORD64 t = 0;	/* Shut up uninitialized varibale warnings */

	/* Move to most-significant end */
	lsbyte += buflen;
	buf += buflen;

	BIGLITTLE(n -= lsbyte/(64/8), n += lsbyte/(64/8));

	/* Load up leading odd bytes */
	if (lsbyte % (64/8)) {
		t = BIGLITTLE(*--n,*n++);
		t >>= (lsbyte * 8) % 64;
	}

	/* The main loop - merge into t, storing at each word boundary. */
	while (buflen--) {
		t = (t << 8) | *--buf;
		if ((--lsbyte % (64/8)) == 0)
			BIGLITTLE(*n++,*--n) = t;
	}

	/* Merge odd bytes in t into last word */
	lsbyte = (lsbyte * 8) % 64;
	if (lsbyte) {
		t <<= lsbyte;
		t |= (((BNWORD64)1 << lsbyte) - 1) & BIGLITTLE(n[0],n[-1]);
		BIGLITTLE(n[0],n[-1]) = t;
	}

	return;
}

#ifdef DEADCODE	/* This was a precursor to the more flexible lbnExtractBytes */
/*
 * Convert a big-endian array of bytes to a bignum.
 * Returns the number of words in the bignum.
 * Note the expression "64/8" for the number of bytes per word.
 * This is so the word-size adjustment will work.
 */
unsigned
lbnFromBytes_64(BNWORD64 *a, unsigned char const *b, unsigned blen)
{
	BNWORD64 t;
	unsigned alen = (blen + (64/8-1))/(64/8);
	BIGLITTLE(a -= alen, a += alen);

	while (blen) {
		t = 0;
		do {
			t = t << 8 | *b++;
		} while (--blen & (64/8-1));
		BIGLITTLE(*a++,*--a) = t;
	}
	return alen;
}
#endif

/*
 * Computes the GCD of a and b.  Modifies both arguments; when it returns,
 * one of them is the GCD and the other is trash.  The return value
 * indicates which: 0 for a, and 1 for b.  The length of the retult is
 * returned in rlen.  Both inputs must have one extra word of precision.
 * alen must be >= blen.
 *
 * TODO: use the binary algorithm (Knuth section 4.5.2, algorithm B).
 * This is based on taking out common powers of 2, then repeatedly:
 * gcd(2*u,v) = gcd(u,2*v) = gcd(u,v) - isolated powers of 2 can be deleted.
 * gcd(u,v) = gcd(u-v,v) - the numbers can be easily reduced.
 * It gets less reduction per step, but the steps are much faster than
 * the division case.
 */
int
lbnGcd_64(BNWORD64 *a, unsigned alen, BNWORD64 *b, unsigned blen,
	unsigned *rlen)
{
#if BNYIELD
	int y;
#endif
	assert(alen >= blen);

	while (blen != 0) {
		(void)lbnDiv_64(BIGLITTLE(a-blen,a+blen), a, alen, b, blen);
		alen = lbnNorm_64(a, blen);
		if (alen == 0) {
			*rlen = blen;
			return 1;
		}
		(void)lbnDiv_64(BIGLITTLE(b-alen,b+alen), b, blen, a, alen);
		blen = lbnNorm_64(b, alen);
#if BNYIELD
		if (bnYield && (y = bnYield()) < 0)
			return y;
#endif
	}
	*rlen = alen;
	return 0;
}

/*
 * Invert "a" modulo "mod" using the extended Euclidean algorithm.
 * Note that this only computes one of the cosequences, and uses the
 * theorem that the signs flip every step and the absolute value of
 * the cosequence values are always bounded by the modulus to avoid
 * having to work with negative numbers.
 * gcd(a,mod) had better equal 1.  Returns 1 if the GCD is NOT 1.
 * a must be one word longer than "mod".  It is overwritten with the
 * result.
 * TODO: Use Richard Schroeppel's *much* faster algorithm.
 */
int
lbnInv_64(BNWORD64 *a, unsigned alen, BNWORD64 const *mod, unsigned mlen)
{
	BNWORD64 *b;	/* Hold a copy of mod during GCD reduction */
	BNWORD64 *p;	/* Temporary for products added to t0 and t1 */
	BNWORD64 *t0, *t1;	/* Inverse accumulators */
	BNWORD64 cy;
	unsigned blen, t0len, t1len, plen;
	int y;

	alen = lbnNorm_64(a, alen);
	if (!alen)
		return 1;	/* No inverse */

	mlen = lbnNorm_64(mod, mlen);

	assert (alen <= mlen);

	/* Inverse of 1 is 1 */
	if (alen == 1 && BIGLITTLE(a[-1],a[0]) == 1) {
		lbnZero_64(BIGLITTLE(a-alen,a+alen), mlen-alen);
		return 0;
	}

	/* Allocate a pile of space */
	LBNALLOC(b, BNWORD64, mlen+1);
	if (b) {
		/*
		 * Although products are guaranteed to always be less than the
		 * modulus, it can involve multiplying two 3-word numbers to
		 * get a 5-word result, requiring a 6th word to store a 0
		 * temporarily.  Thus, mlen + 1.
		 */
		LBNALLOC(p, BNWORD64, mlen+1);
		if (p) {
			LBNALLOC(t0, BNWORD64, mlen);
			if (t0) {
				LBNALLOC(t1, BNWORD64, mlen);
				if (t1)
						goto allocated;
				LBNFREE(t0, mlen);
			}
			LBNFREE(p, mlen+1);
		}
		LBNFREE(b, mlen+1);
	}
	return -1;

allocated:

	/* Set t0 to 1 */
	t0len = 1;
	BIGLITTLE(t0[-1],t0[0]) = 1;

	/* b = mod */
	lbnCopy_64(b, mod, mlen);
	/* blen = mlen (implicitly) */

	/* t1 = b / a; b = b % a */
	cy = lbnDiv_64(t1, b, mlen, a, alen);
	*(BIGLITTLE(t1-(mlen-alen)-1,t1+(mlen-alen))) = cy;
	t1len = lbnNorm_64(t1, mlen-alen+1);
	blen = lbnNorm_64(b, alen);

	/* while (b > 1) */
	while (blen > 1 || BIGLITTLE(b[-1],b[0]) != (BNWORD64)1) {
		/* q = a / b; a = a % b; */
		if (alen < blen || (alen == blen && lbnCmp_64(a, a, alen) < 0))
			assert(0);
		cy = lbnDiv_64(BIGLITTLE(a-blen,a+blen), a, alen, b, blen);
		*(BIGLITTLE(a-alen-1,a+alen)) = cy;
		plen = lbnNorm_64(BIGLITTLE(a-blen,a+blen), alen-blen+1);
		assert(plen);
		alen = lbnNorm_64(a, blen);
		if (!alen)
			goto failure;	/* GCD not 1 */

		/* t0 += q * t1; */
		assert(plen+t1len <= mlen+1);
		lbnMul_64(p, BIGLITTLE(a-blen,a+blen), plen, t1, t1len);
		plen = lbnNorm_64(p, plen + t1len);
		assert(plen <= mlen);
		if (plen > t0len) {
			lbnZero_64(BIGLITTLE(t0-t0len,t0+t0len), plen-t0len);
			t0len = plen;
		}
		cy = lbnAddN_64(t0, p, plen);
		if (cy) {
			if (t0len > plen) {
				cy = lbnAdd1_64(BIGLITTLE(t0-plen,t0+plen),
						t0len-plen, cy);
			}
			if (cy) {
				BIGLITTLE(t0[-t0len-1],t0[t0len]) = cy;
				t0len++;
			}
		}

		/* if (a <= 1) return a ? t0 : FAIL; */
		if (alen <= 1 && BIGLITTLE(a[-1],a[0]) == (BNWORD64)1) {
			if (alen == 0)
				goto failure;	/* FAIL */
			assert(t0len <= mlen);
			lbnCopy_64(a, t0, t0len);
			lbnZero_64(BIGLITTLE(a-t0len, a+t0len), mlen-t0len);
			goto success;
		}

		/* q = b / a; b = b % a; */
		if (blen < alen || (blen == alen && lbnCmp_64(b, a, alen) < 0))
			assert(0);
		cy = lbnDiv_64(BIGLITTLE(b-alen,b+alen), b, blen, a, alen);
		*(BIGLITTLE(b-blen-1,b+blen)) = cy;
		plen = lbnNorm_64(BIGLITTLE(b-alen,b+alen), blen-alen+1);
		assert(plen);
		blen = lbnNorm_64(b, alen);
		if (!blen)
			goto failure;	/* GCD not 1 */

		/* t1 += q * t0; */
		assert(plen+t0len <= mlen+1);
		lbnMul_64(p, BIGLITTLE(b-alen,b+alen), plen, t0, t0len);
		plen = lbnNorm_64(p, plen + t0len);
		assert(plen <= mlen);
		if (plen > t1len) {
			lbnZero_64(BIGLITTLE(t1-t1len,t1+t1len), plen-t1len);
			t1len = plen;
		}
		cy = lbnAddN_64(t1, p, plen);
		if (cy) {
			if (t1len > plen) {
				cy = lbnAdd1_64(BIGLITTLE(t1-plen,t0+plen),
						t1len-plen, cy);
			}
			if (cy) {
				BIGLITTLE(t1[-t1len-1],t1[t1len]) = cy;
				t1len++;
			}
		}
#if BNYIELD
		if (bnYield && (y = bnYield() < 0))
			goto yield;
#endif
	}

	if (!blen)
		goto failure;	/* gcd(a, mod) != 1 -- FAIL */

	/* return mod-t1 */
	lbnCopy_64(a, mod, mlen);
	assert(t1len <= mlen);
	cy = lbnSubN_64(a, t1, t1len);
	if (cy) {
		assert(mlen > t1len);
		cy = lbnSub1_64(BIGLITTLE(a-t1len, a+t1len), mlen-t1len, cy);
		assert(!cy);
	}

success:
	LBNFREE(t1, mlen);
	LBNFREE(t0, mlen);
	LBNFREE(p, mlen+1);
	LBNFREE(b, mlen+1);

	return 0;

failure:		/* GCD is not 1 - no inverse exists! */
	y = 1;
#if BNYIELD
yield:
#endif
	LBNFREE(t1, mlen);
	LBNFREE(t0, mlen);
	LBNFREE(p, mlen+1);
	LBNFREE(b, mlen+1);

	return y;
}

/*
 * Precompute powers of "a" mod "mod".  Compute them every "bits"
 * for "n" steps.  This is sufficient to compute powers of g with
 * exponents up to n*bits bits long, i.e. less than 2^(n*bits).
 *
 * This assumes that the caller has already initialized "array" to point
 * to "n" buffers of size "mlen".
 */
int
lbnBasePrecompBegin_64(BNWORD64 **array, unsigned n, unsigned bits,
	BNWORD64 const *g, unsigned glen, BNWORD64 *mod, unsigned mlen)
{
	BNWORD64 *a, *b;	/* Temporary double-width accumulators */
	BNWORD64 *a1;	/* Pointer to high half of a*/
	BNWORD64 inv;	/* Montgomery inverse of LSW of mod */
	BNWORD64 *t;
	unsigned i;

	glen = lbnNorm_64(g, glen);
	assert(glen);

	assert (mlen == lbnNorm_64(mod, mlen));
	assert (glen <= mlen);

	/* Allocate two temporary buffers, and the array slots */
	LBNALLOC(a, BNWORD64, mlen*2);
	if (!a)
		return -1;
	LBNALLOC(b, BNWORD64, mlen*2);
	if (!b) {
		LBNFREE(a, 2*mlen);
		return -1;
	}

	/* Okay, all ready */

	/* Convert n to Montgomery form */
	inv = BIGLITTLE(mod[-1],mod[0]);	/* LSW of modulus */
	assert(inv & 1);	/* Modulus must be odd */
	inv = lbnMontInv1_64(inv);
	/* Move g up "mlen" words into a (clearing the low mlen words) */
	a1 = BIGLITTLE(a-mlen,a+mlen);
	lbnCopy_64(a1, g, glen);
	lbnZero_64(a, mlen);

	/* Do the division - dump the quotient into the high-order words */
	(void)lbnDiv_64(a1, a, mlen+glen, mod, mlen);

	/* Copy the first value into the array */
	t = *array;
	lbnCopy_64(t, a, mlen);
	a1 = a;	/* This first value is *not* shifted up */

	/* Now compute the remaining n-1 array entries */
	assert(bits);
	assert(n);
	while (--n) {
		i = bits;
		do {
			/* Square a1 into b1 */
			lbnMontSquare_64(b, a1, mod, mlen, inv);
			t = b; b = a; a = t;
			a1 = BIGLITTLE(a-mlen, a+mlen);
		} while (--i);
		t = *++array;
		lbnCopy_64(t, a1, mlen);
	}

	/* Hooray, we're done. */
	LBNFREE(b, 2*mlen);
	LBNFREE(a, 2*mlen);
	return 0;
}

/*
 * result = base^exp (mod mod).  "array" is a an array of pointers
 * to procomputed powers of base, each 2^bits apart.  (I.e. array[i]
 * is base^(2^(i*bits))).
 *
 * The algorithm consists of:
 * a  = b  = (powers of g to be raised to the power 2^bits-1)
 * a *= b *= (powers of g to be raised to the power 2^bits-2)
 * ...
 * a *= b *= (powers of g to be raised to the power 1)
 *
 * All we do is walk the exponent 2^bits-1 times in groups of "bits" bits,
 */
int
lbnBasePrecompExp_64(BNWORD64 *result, BNWORD64 const * const *array,
       unsigned bits, BNWORD64 const *exp, unsigned elen,
       BNWORD64 const *mod, unsigned mlen)
{
	BNWORD64 *a, *b, *c, *t;
	BNWORD64 *a1, *b1;
	int anull, bnull;	/* Null flags: values are implicitly 1 */
	unsigned i, j;				/* Loop counters */
	unsigned mask;				/* Exponent bits to examime */
	BNWORD64 const *eptr;			/* Pointer into exp */
	BNWORD64 buf, curbits, nextword;	/* Bit-buffer varaibles */
	BNWORD64 inv;				/* Inverse of LSW of modulus */
	unsigned ewords;			/* Words of exponent left */
	int bufbits;				/* Number of valid bits */
	int y = 0;

	mlen = lbnNorm_64(mod, mlen);
	assert (mlen);

	elen = lbnNorm_64(exp, elen);
	if (!elen) {
		lbnZero_64(result, mlen);
		BIGLITTLE(result[-1],result[0]) = 1;
		return 0;
	}
	/*
	 * This could be precomputed, but it's so cheap, and it would require
	 * making the precomputation structure word-size dependent.
	 */
	inv = lbnMontInv1_64(mod[BIGLITTLE(-1,0)]);	/* LSW of modulus */

	assert(elen);

	/*
	 * Allocate three temporary buffers.  The current numbers generally
	 * live in the upper halves of these buffers.
	 */
	LBNALLOC(a, BNWORD64, mlen*2);
	if (a) {
		LBNALLOC(b, BNWORD64, mlen*2);
		if (b) {
			LBNALLOC(c, BNWORD64, mlen*2);
			if (c)
				goto allocated;
			LBNFREE(b, 2*mlen);
		}
		LBNFREE(a, 2*mlen);
	}
	return -1;

allocated:

	anull = bnull = 1;

	mask = (1u<<bits) - 1;
	for (i = mask; i; --i) {
		/* Set up bit buffer for walking the exponent */
		eptr = exp;
		buf = BIGLITTLE(*--eptr, *eptr++);
		ewords = elen-1;
		bufbits = 64;
		for (j = 0; ewords || buf; j++) {
			/* Shift down current buffer */
			curbits = buf;
			buf >>= bits;
			/* If necessary, add next word */
			bufbits -= bits;
			if (bufbits < 0 && ewords > 0) {
				nextword = BIGLITTLE(*--eptr, *eptr++);
				ewords--;
				curbits |= nextword << (bufbits+bits);
				buf = nextword >> -bufbits;
				bufbits += 64;
			}
			/* If appropriate, multiply b *= array[j] */
			if ((curbits & mask) == i) {
				BNWORD64 const *d = array[j];

				b1 = BIGLITTLE(b-mlen-1,b+mlen);
				if (bnull) {
					lbnCopy_64(b1, d, mlen);
					bnull = 0;
				} else {
					lbnMontMul_64(c, b1, d, mod, mlen, inv);
					t = c; c = b; b = t;
				}
#if BNYIELD
				if (bnYield && (y = bnYield() < 0))
					goto yield;
#endif
			}
		}

		/* Multiply a *= b */
		if (!bnull) {
			a1 = BIGLITTLE(a-mlen-1,a+mlen);
			b1 = BIGLITTLE(b-mlen-1,b+mlen);
			if (anull) {
				lbnCopy_64(a1, b1, mlen);
				anull = 0;
			} else {
				lbnMontMul_64(c, a1, b1, mod, mlen, inv);
				t = c; c = a; a = t;
			}
		}
	}

	assert(!anull);	/* If it were, elen would have been 0 */

	/* Convert out of Montgomery form and return */
	a1 = BIGLITTLE(a-mlen-1,a+mlen);
	lbnCopy_64(a, a1, mlen);
	lbnZero_64(a1, mlen);
	lbnMontReduce_64(a, mod, mlen, inv);
	lbnCopy_64(result, a1, mlen);

#if BNYIELD
yield:
#endif
	LBNFREE(c, 2*mlen);
	LBNFREE(b, 2*mlen);
	LBNFREE(a, 2*mlen);

	return y;
}

/*
 * result = base1^exp1 *base2^exp2 (mod mod).  "array1" and "array2" are
 * arrays of pointers to procomputed powers of the corresponding bases,
 * each 2^bits apart.  (I.e. array1[i] is base1^(2^(i*bits))).
 *
 * Bits must be the same in both.  (It could be made adjustable, but it's
 * a bit of a pain.  Just make them both equal to the larger one.)
 *
 * The algorithm consists of:
 * a  = b  = (powers of base1 and base2  to be raised to the power 2^bits-1)
 * a *= b *= (powers of base1 and base2 to be raised to the power 2^bits-2)
 * ...
 * a *= b *= (powers of base1 and base2 to be raised to the power 1)
 *
 * All we do is walk the exponent 2^bits-1 times in groups of "bits" bits,
 */
int
lbnDoubleBasePrecompExp_64(BNWORD64 *result, unsigned bits,
       BNWORD64 const * const *array1, BNWORD64 const *exp1, unsigned elen1,
       BNWORD64 const * const *array2, BNWORD64 const *exp2,
       unsigned elen2, BNWORD64 const *mod, unsigned mlen)
{
	BNWORD64 *a, *b, *c, *t;
	BNWORD64 *a1, *b1;
	int anull, bnull;	/* Null flags: values are implicitly 1 */
	unsigned i, j, k;				/* Loop counters */
	unsigned mask;				/* Exponent bits to examime */
	BNWORD64 const *eptr;			/* Pointer into exp */
	BNWORD64 buf, curbits, nextword;	/* Bit-buffer varaibles */
	BNWORD64 inv;				/* Inverse of LSW of modulus */
	unsigned ewords;			/* Words of exponent left */
	int bufbits;				/* Number of valid bits */
	int y = 0;
	BNWORD64 const * const *array;

	mlen = lbnNorm_64(mod, mlen);
	assert (mlen);

	elen1 = lbnNorm_64(exp1, elen1);
	if (!elen1) {
		return lbnBasePrecompExp_64(result, array2, bits, exp2, elen2,
		                            mod, mlen);
	}
	elen2 = lbnNorm_64(exp2, elen2);
	if (!elen2) {
		return lbnBasePrecompExp_64(result, array1, bits, exp1, elen1,
		                            mod, mlen);
	}
	/*
	 * This could be precomputed, but it's so cheap, and it would require
	 * making the precomputation structure word-size dependent.
	 */
	inv = lbnMontInv1_64(mod[BIGLITTLE(-1,0)]);	/* LSW of modulus */

	assert(elen1);
	assert(elen2);

	/*
	 * Allocate three temporary buffers.  The current numbers generally
	 * live in the upper halves of these buffers.
	 */
	LBNALLOC(a, BNWORD64, mlen*2);
	if (a) {
		LBNALLOC(b, BNWORD64, mlen*2);
		if (b) {
			LBNALLOC(c, BNWORD64, mlen*2);
			if (c)
				goto allocated;
			LBNFREE(b, 2*mlen);
		}
		LBNFREE(a, 2*mlen);
	}
	return -1;

allocated:

	anull = bnull = 1;

	mask = (1u<<bits) - 1;
	for (i = mask; i; --i) {
		/* Walk each exponent in turn */
		for (k = 0; k < 2; k++) {
			/* Set up the exponent for walking */
			array = k ? array2 : array1;
			eptr = k ? exp2 : exp1;
			ewords = (k ? elen2 : elen1) - 1;
			/* Set up bit buffer for walking the exponent */
			buf = BIGLITTLE(*--eptr, *eptr++);
			bufbits = 64;
			for (j = 0; ewords || buf; j++) {
				/* Shift down current buffer */
				curbits = buf;
				buf >>= bits;
				/* If necessary, add next word */
				bufbits -= bits;
				if (bufbits < 0 && ewords > 0) {
					nextword = BIGLITTLE(*--eptr, *eptr++);
					ewords--;
					curbits |= nextword << (bufbits+bits);
					buf = nextword >> -bufbits;
					bufbits += 64;
				}
				/* If appropriate, multiply b *= array[j] */
				if ((curbits & mask) == i) {
					BNWORD64 const *d = array[j];

					b1 = BIGLITTLE(b-mlen-1,b+mlen);
					if (bnull) {
						lbnCopy_64(b1, d, mlen);
						bnull = 0;
					} else {
						lbnMontMul_64(c, b1, d, mod, mlen, inv);
						t = c; c = b; b = t;
					}
#if BNYIELD
					if (bnYield && (y = bnYield() < 0))
						goto yield;
#endif
				}
			}
		}

		/* Multiply a *= b */
		if (!bnull) {
			a1 = BIGLITTLE(a-mlen-1,a+mlen);
			b1 = BIGLITTLE(b-mlen-1,b+mlen);
			if (anull) {
				lbnCopy_64(a1, b1, mlen);
				anull = 0;
			} else {
				lbnMontMul_64(c, a1, b1, mod, mlen, inv);
				t = c; c = a; a = t;
			}
		}
	}

	assert(!anull);	/* If it were, elen would have been 0 */

	/* Convert out of Montgomery form and return */
	a1 = BIGLITTLE(a-mlen-1,a+mlen);
	lbnCopy_64(a, a1, mlen);
	lbnZero_64(a1, mlen);
	lbnMontReduce_64(a, mod, mlen, inv);
	lbnCopy_64(result, a1, mlen);

#if BNYIELD
yield:
#endif
	LBNFREE(c, 2*mlen);
	LBNFREE(b, 2*mlen);
	LBNFREE(a, 2*mlen);

	return y;
}